[Snort-users] Question on port lists and negation
scott.dexter at ...11827...
Mon Oct 8 17:03:00 EDT 2007
I believe he is referring to snort 2.8 which does support port lists.
On 10/8/07, Matt Kettler <mkettler at ...4108...> wrote:
> Richard Bejtlich wrote:
> > Hello,
> > As I mentioned to roesch and WuTang in IRC, I am playing with port
> > lists and negation.
> > Say I create this snort.conf:
> > portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
> > alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
> port specs cannot be comma-delimited lists like that, IIRC.
> For ports you can specify:
> a port 
> a continuous range of ports [1:1023]
> or a negation of either of the above.
> But you cannot do things like [80,88]. That syntax only works for IP addresses.
> See also, the docs on port numbers in rules:
Ignorance more frequently begets confidence than does knowledge: it is
those who know little, not those who know much, who so positively
assert that this or that problem will never be solved by science.
English biologist (1809 - 1882)
More information about the Snort-users