[Snort-users] multiple ports in rule

Matt Kettler mkettler at ...4108...
Wed Dec 17 13:36:02 EST 2003


At 01:19 PM 12/17/2003, Bryan Irvine wrote:

>Is there a way to specify not to use port 25 either?
>
>ie [!80 !25] or something?
>
>This is snort v 2.0.1 by the way.

No..

ports can be single ports, ranges of ports, or negations of either. They 
can NOT be comma delimited lists. (At this time only IP addresses can be lists)


besides, even if you could do that [!80, !25] would be the same as "any"... 
you'd have meant to do ![80, 25]. There's a very important difference 
between the two in terms of boolean algebra...

be sure to make a note of it so you don't screw up your network range 
declarations, since IP addresses do support this syntax.







More information about the Snort-users mailing list