OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: shawn . moyer (shawnnet-connect.net)
Date: Thu Mar 22 2001 - 10:48:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Johnathan Corgan wrote:
    >
    > Being new user to snort, I'm not quite up to speed on the rules language.
    > However, I don't see how to program a rule that would trigger on "all
    > destination ports except these specified well known ports".

    In addition to what Andrew mentioned, you can also do this by !<port>,
    i.e.

    alert tcp $EXTERNAL_NET !80 <> $HOME_NET any (msg: "Non-http traffic!";)

    --shawn 

    -- 

    s h a w n   m o y e r
shawnnet-connect.net

    "Nuclear war would really set back cable."
	                     -- Ted Turner

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users