[Snort-users] pb with ports...

Matt Kettler mkettler at ...4108...
Tue May 20 13:47:09 EDT 2003


No, as per the documentation you cannot do lists of ports...

You can do a port (80), a range (80:90) , a negation of a port (!80), or a 
negation of a range (!80:90)...

That's all.. No lists, lists of negations, or negated lists are supported 
for port numbers in rules.

Also of note, IP addresses do support comma separated lists, however the 
basic construct that you used would fail there too, but could actually be 
written to do what you want, instead of what you said.

[!192.168.1.1/32,!192.168.0.1/32]

Is logically the same as "any" because you've goofed up the position of the 
negation... The only time the above statement would not match is if the 
address of the packet was both 192.168.1.1 and 192.168.0.1 at the same 
time, which is impossible.

What you would really want is
![192.168.1.1/32,192.168.0.1/32]

Which will match everything that isn't those two IP addresses...

It's a DeMorgan's theorem thing... NOT A or NOT B is the same as NOT (A AND 
B)... which is what the first case amounts to.

But alas, this construct isn't supported for ports, only IP's.



At 03:31 PM 5/20/2003 +0200, phelles wrote:
>hi everyone!!
>i was wondering: is it possible to apply a rule except on 2 or 3
>different ports?
>it could be something like:
>
>
>alert tcp $HOME_NET any -> $EXTERNAL_NET !8080 !5000 (msg:"test";
>flow:to_server,established; resp:rst_all; content:"test "; offset:0;
>depth:4; classtype:misc-activity; sid:66000; rev:3;)
>
>but it doesn't work.
>Thanks in advance!!





More information about the Snort-users mailing list