[Snort-users] pb with ports...

Glenn Forbes Fleming Larratt glratt at ...604...
Tue May 20 14:39:08 EDT 2003


Now you could, I think, get what you're after thus:

alert tcp $HOME_NET any -> $EXTERNAL_NET 0:4999 (msg:"test"; \
 flow:to_server,established; resp:rst_all; content:"test "; offset:0; \
 depth:4; classtype:misc-activity; sid:66000; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5001:8079 (msg:"test"; \
 flow:to_server,established; resp:rst_all; content:"test "; offset:0; \
 depth:4; classtype:misc-activity; sid:66000; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080:65535 (msg:"test"; \
 flow:to_server,established; resp:rst_all; content:"test "; offset:0; \
 depth:4; classtype:misc-activity; sid:66000; rev:3;)

Doesn't scale or extend very well, but it ought to work.

	-g


On Tue, 20 May 2003, Matt Kettler wrote:

> No, as per the documentation you cannot do lists of ports...
>
> You can do a port (80), a range (80:90) , a negation of a port (!80), or a
> negation of a range (!80:90)...
>
> That's all.. No lists, lists of negations, or negated lists are supported
> for port numbers in rules.
>
> Also of note, IP addresses do support comma separated lists, however the
> basic construct that you used would fail there too, but could actually be
> written to do what you want, instead of what you said.
>
> [!192.168.1.1/32,!192.168.0.1/32]
>
> Is logically the same as "any" because you've goofed up the position of the
> negation... The only time the above statement would not match is if the
> address of the packet was both 192.168.1.1 and 192.168.0.1 at the same
> time, which is impossible.
>
> What you would really want is
> ![192.168.1.1/32,192.168.0.1/32]
>
> Which will match everything that isn't those two IP addresses...
>
> It's a DeMorgan's theorem thing... NOT A or NOT B is the same as NOT (A AND
> B)... which is what the first case amounts to.
>
> But alas, this construct isn't supported for ports, only IP's.
>
>
>
> At 03:31 PM 5/20/2003 +0200, phelles wrote:
> >hi everyone!!
> >i was wondering: is it possible to apply a rule except on 2 or 3
> >different ports?
> >it could be something like:
> >
> >
> >alert tcp $HOME_NET any -> $EXTERNAL_NET !8080 !5000 (msg:"test";
> >flow:to_server,established; resp:rst_all; content:"test "; offset:0;
> >depth:4; classtype:misc-activity; sid:66000; rev:3;)
> >
> >but it doesn't work.
> >Thanks in advance!!
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...





More information about the Snort-users mailing list