Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pb with ports...

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 20 May 2003 16:45:18 -0400
No, as per the documentation you cannot do lists of ports...
You can do a port (80), a range (80:90) , a negation of a port (!80), or a negation of a range (!80:90)...
That's all.. No lists, lists of negations, or negated lists are supported for port numbers in rules.
Also of note, IP addresses do support comma separated lists, however the basic construct that you used would fail there too, but could actually be written to do what you want, instead of what you said. 

[!192.168.1.1/32,!192.168.0.1/32]
Is logically the same as "any" because you've goofed up the position of the negation... The only time the above statement would not match is if the address of the packet was both 192.168.1.1 and 192.168.0.1 at the same time, which is impossible. 

What you would really want is
![192.168.1.1/32,192.168.0.1/32]

Which will match everything that isn't those two IP addresses...
It's a DeMorgan's theorem thing... NOT A or NOT B is the same as NOT (A AND B)... which is what the first case amounts to. 

But alas, this construct isn't supported for ports, only IP's.



At 03:31 PM 5/20/2003 +0200, phelles wrote:

hi everyone!!
i was wondering: is it possible to apply a rule except on 2 or 3
different ports?
it could be something like:


alert tcp $HOME_NET any -> $EXTERNAL_NET !8080 !5000 (msg:"test";
flow:to_server,established; resp:rst_all; content:"test "; offset:0;
depth:4; classtype:misc-activity; sid:66000; rev:3;)

but it doesn't work.
Thanks in advance!!




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: