Snort mailing list archives

Re: Constructing Rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 26 Nov 2002 13:42:59 -0500

Comma separated lists of ports aren't currently supported by snort. Sothere's no way to do what you're asking.

If they were however supported, like they are for IPs, your syntax would beeffectively asking for a match of any port. What you would really want isto brace the list and put a single ! out front of that.


For example the proper syntax with IP lists to exclude 2 ip's:

![192.168.1.1/32,192.168.3.3/32]
which will match anything which is not ( 192.168.1.1 or 192.168.3.3)

Where as this:
!192.168.1.1/32,!192.168.3.3/32

May as well be any, since it will match anything which is (not 192.168.1.1)or (not 192.168.3.3).

But since comma separated lists of ports are not supported, there'scurrently no way to do ![80,81,8080]



At 11:05 AM 11/26/2002 -0500, you wrote:

Hello all,
Just a quick question, when making a rule in snort I want snort tonegate/ignore multiple ports, not a range. Is this able to be done?
Just an random rule example:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr";ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909;reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;)
What I am trying to do:
alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC sourceroute lssr"; ipopts:lsrr; reference:bugtraq,646;reference:cve,CVE-1999-0909; reference:arachnids,418;classtype:bad-unknown; sid:500; rev:2;)This approach comes up with an error, and I have not found anotherapproach that works.
Any help would be greatly appreciated.

Thanks,
Mike




-------------------------------------------------------

This SF.net email is sponsored by: Get the new Palm Tungsten Thandheld. Power & Color in a compact size!http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Constructing Rules Michael Lougee (Nov 26)
- Re: Constructing Rules Matt Kettler (Nov 26)
- Re: Constructing Rules Brian (Nov 26)
- negated port ranges (was Re: Constructing Rules) Bennett Todd (Nov 26)