[Snort-users] Question on port lists and negation

Richard Bejtlich taosecurity at ...11827...
Tue Oct 9 22:18:25 EDT 2007


On 10/8/07, John Curry <john.curry at ...14221...> wrote:
> Hello Richard,
>
> I believe something like the following should work, without the use of 'flow' in the rule.
>
> alert tcp any !PORTS -> any !PORTS
>
> The rule needs apply to packets going to and coming from the ports in the PORTS list.  I have not found the "->" token to do anything to enforce direction since at least 2.4.3.  I've had to rely on the 'flow' option to enforce a packet direction for TCP sessions.
>

Hi John,

Wow, that is an interesting observation regarding -> and 2.4.3.  Can
anyone from Sourcefire confirm this?

Thank you,

Richard




More information about the Snort-users mailing list