You can do this with a set of pass rules and one alert rule.
Make sure that the pass rules are processed before the alert
rule. You can do this with either the -o switch on the
commandline or using the conf file command

config order: pass, alert

I think that is correct, I am working from memory...

Here are some rules that you could use:

pass tcp $OUTSIDE any -> $INSIDE 80 (flags: S;)
pass tcp $OUTSIDE any -> $INSIDE 110 (flags: S;)
# add whatever other services you don't want to alert on here.

alert tcp $OUTSIDE any -> $INSIDE any (msg: "TCP Connection Attempt";
flags: S;)

Let me know if you have any more questions.

-A

Johnathan Corgan wrote:
>
> Being new user to snort, I'm not quite up to speed on the rules language.
> However, I don't see how to program a rule that would trigger on "all
> destination ports except these specified well known ports".
>
> I'd like to log all tcp SYN attempts to any port that aren't in a well known
> list such as pop3, www, ftp, smtp, etc.
>
> Am I really, really missing something simple? Appropriate embarassment will
> follow if I am.
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]