On 10/8/07, Matt Kettler <mkettler@evi-inc.com> wrote:
Richard Bejtlich wrote:
Hello,
As I mentioned to roesch and WuTang in IRC, I am playing with port
lists and negation.
Say I create this snort.conf:
portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
port specs cannot be comma-delimited lists like that, IIRC.
For ports you can specify:
a port [80]
a continuous range of ports [1:1023]
or a negation of either of the above.
But you cannot do things like [80,88]. That syntax only works for IP
addresses.
From snort-2.8.0/RELEASE.NOTES:
2007-09-20 - Snort 2.8.0
[*] New Additions
* Port Lists. Added and improved handling of lists of Ports, Port Ranges,
and use of Port variables (portvar) within rules. Eliminates need to
duplicate rules for different that are far apart, like HTTP ports 80 and
8080. See README.variables for details.
From snort-2.8.0/etc/snort.conf:
# NOTE: If you wish to define multiple HTTP ports, use the portvar
# syntax to represent lists of ports and port ranges. Examples:
## portvar HTTP_PORTS [80,8080]
## portvar HTTP_PORTS [80,8000:8080]
# And only include the rule that uses $HTTP_PORTS once.
#
# The pre-2.8.0 approach of redefining the variable to a different port and
# including the rules file twice is obsolete. See README.variables for more
# details.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
