[Snort-users] Ignoring arbitrary ports for certain rules
AJ Butcher, Information Systems and Computing
Alex.Butcher at ...11254...
Thu May 20 03:38:01 EDT 2004
I'm finding that a lot of our false positives are being caused by probable
P2P traffic and so I'd like to disable certain rules if they come from, or
go to well-known P2P ports. I know I could do this over the entire snort
ruleset by using a BPF filter, but I'd prefer not to do that unless there's
no other way.
Essentially, I'd like to do something like:
var P2P_PORTS [5541,6346:6352,6881:6884]
and then use something like:
alert tcp any !P2P_PORTS <> $HOME_NET !P2P_PORTS ...
I can't seem to find any syntax (spaces, commas, square brackets) to allow
this, and in fact, I suspect it isn't possible. Can anyone confirm or deny
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users