[Snort-users] pb with ports...
mkettler at ...4108...
Tue May 20 13:47:09 EDT 2003
No, as per the documentation you cannot do lists of ports...
You can do a port (80), a range (80:90) , a negation of a port (!80), or a
negation of a range (!80:90)...
That's all.. No lists, lists of negations, or negated lists are supported
for port numbers in rules.
Also of note, IP addresses do support comma separated lists, however the
basic construct that you used would fail there too, but could actually be
written to do what you want, instead of what you said.
Is logically the same as "any" because you've goofed up the position of the
negation... The only time the above statement would not match is if the
address of the packet was both 192.168.1.1 and 192.168.0.1 at the same
time, which is impossible.
What you would really want is
Which will match everything that isn't those two IP addresses...
It's a DeMorgan's theorem thing... NOT A or NOT B is the same as NOT (A AND
B)... which is what the first case amounts to.
But alas, this construct isn't supported for ports, only IP's.
At 03:31 PM 5/20/2003 +0200, phelles wrote:
>i was wondering: is it possible to apply a rule except on 2 or 3
>it could be something like:
>alert tcp $HOME_NET any -> $EXTERNAL_NET !8080 !5000 (msg:"test";
>flow:to_server,established; resp:rst_all; content:"test "; offset:0;
>depth:4; classtype:misc-activity; sid:66000; rev:3;)
>but it doesn't work.
>Thanks in advance!!
More information about the Snort-users