[Snort-users] Rule help

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Dec 23 15:50:13 EST 2008


I guess I misunderstand what "ip" refers to.  I assumed it meant "tcp AND udp", and ports would be valid with both.  Oops.

-----Original Message-----
From: Jack Pepper [mailto:pepperjack at ...14319...] 
Sent: December 23, 2008 12:40 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rule help

Quoting "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>:

> Is this in the docs anywhere? I've got the rule writing section in  
> front of me and didn't see that in the protocol section.  That would  
> have been nice to know up front. :)
>

the "oddity" isn't that snort rule syntax ignores port numbers on IP.   
That's part of the IP protocol.  the "oddity" IMO is that snort does  
not escalate a syntax error on IP protocol if the port is anthing  
other than "any".

jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list