[Snort-users] Question on port lists and negation
taosecurity at ...11827...
Tue Oct 9 22:18:25 EDT 2007
On 10/8/07, John Curry <john.curry at ...14221...> wrote:
> Hello Richard,
> I believe something like the following should work, without the use of 'flow' in the rule.
> alert tcp any !PORTS -> any !PORTS
> The rule needs apply to packets going to and coming from the ports in the PORTS list. I have not found the "->" token to do anything to enforce direction since at least 2.4.3. I've had to rely on the 'flow' option to enforce a packet direction for TCP sessions.
Wow, that is an interesting observation regarding -> and 2.4.3. Can
anyone from Sourcefire confirm this?
More information about the Snort-users