[Snort-users] Ignoring arbitrary ports for certain rules

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Thu May 20 03:38:01 EDT 2004


Hi -

I'm finding that a lot of our false positives are being caused by probable 
P2P traffic and so I'd like to disable certain rules if they come from, or 
go to well-known P2P ports. I know I could do this over the entire snort 
ruleset by using a BPF filter, but I'd prefer not to do that unless there's 
no other way.

Essentially, I'd like to do something like:

var P2P_PORTS [5541,6346:6352,6881:6884]

and then use something like:

alert tcp any !P2P_PORTS <> $HOME_NET !P2P_PORTS ...

I can't seem to find any syntax (spaces, commas, square brackets) to allow 
this, and in fact, I suspect it isn't possible. Can anyone confirm or deny 
this?

Thanks,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list