[Snort-users] Question on port lists and negation
mkettler at ...4108...
Mon Oct 8 16:57:57 EDT 2007
Richard Bejtlich wrote:
> As I mentioned to roesch and WuTang in IRC, I am playing with port
> lists and negation.
> Say I create this snort.conf:
> portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
> alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
port specs cannot be comma-delimited lists like that, IIRC.
For ports you can specify:
a port 
a continuous range of ports [1:1023]
or a negation of either of the above.
But you cannot do things like [80,88]. That syntax only works for IP addresses.
See also, the docs on port numbers in rules:
More information about the Snort-users