[FC3] SNORT: writing rules
Mike Klinke
lsomike at futzin.com
Fri Jan 6 06:01:53 UTC 2006
On Thursday 05 January 2006 18:45, Liloulinx wrote:
> Hi,
> I want to write a SNORT rules.
> I want to make an alert if the input traffic is different from
> the port "i" and the port "j". (for examle port 80 and port 443).
> So I use these rules:
> alert tcp any any -> 192.168.1.0/24 !80 (msg"query different
> from port 80";)
> alert tcp any any -> 192.168.1.0/24 !443 (msg"query different
> from port 443";)
> But if I receive a query to a port different from 80 and 443,
> this manner of writing rules will generate me 2 alertes at the
> same time. Is ther any manner to rewrite these rules in order to
> get just one rule and thus only one alert?
> I know that the following manner is false, but it's juste an
> example to explain what I want to get:
> alert tcp any any -> 192.168.1.0/24 ![80 AND 443] (msg"query
> different from port 80 and 443";)
> Thanks.
> (Linx)
I don't know if negated port lists are supported yet or not. I've
seen a little discussion that seems to indicate that they aren't:
http://marc.theaimsgroup.com/?l=snort-users&m=107368796627596&w=2
http://marc.theaimsgroup.com/?l=snort-devel&m=107282430014686&w=2
http://marc.theaimsgroup.com/?l=snort-devel&m=107341476419431&w=2
You may want to pose the question on the snort list(s).
Regards, Mike Klinke
More information about the fedora-list
mailing list