[Snort-users] Rule help

Jack Pepper pepperjack at ...14319...
Tue Dec 23 15:39:38 EST 2008


Quoting "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>:

> Is this in the docs anywhere? I've got the rule writing section in  
> front of me and didn't see that in the protocol section.  That would  
> have been nice to know up front. :)
>

the "oddity" isn't that snort rule syntax ignores port numbers on IP.   
That's part of the IP protocol.  the "oddity" IMO is that snort does  
not escalate a syntax error on IP protocol if the port is anthing  
other than "any".

jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list