[Snort-users] multiple ports in rule
bryan.irvine at ...9066...
Wed Dec 17 10:20:02 EST 2003
I enabled checking of p2p rules, and this morning I had 8,500 alert of
p2p GNUTella GET, which turned out to all be to the mail server.
I look at the offending rule which looks like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432; rev:3;)
Is there a way to specify not to use port 25 either?
ie [!80 !25] or something?
This is snort v 2.0.1 by the way.
More information about the Snort-users