|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Thu Oct 17 2002 - 00:11:58 CDT
Im assuming you want to log _EVERYTHING_ except whats headed to dst port
80,443,110 right?
in your example you have that them as your 'src' port. on the left hand
side of the direction operator
you could try port negation via 'ranges' like so !80:443 only a handful
of services run in between..
but you would probably MISS alot....
I know you can specify multiple IP address via [x.x.x.x/32,x.x.x.x/32]
I checked the manual, i only saw port negation via ranges.. not multiple
"!" ...
I could be wrong, tell me if I am.. take care
hope it helps ( wee 2 cents free )
- Albert
McKim, Tim wrote:
>I want to create a rule that ignores three ports but alerts on everything
>else.
>
>
>Something like
>
>alert tcp !$HOME_NET (!80 && !443 && !110) -> $HOME_NET any ..........
>
>I just haven't been able to find what the correct syntax is or if it is even
>possible. If anyone knows how to do this I would appreciate the help.
>
>Thanks,
>
>Tim
>
>
>
>
-- The secret to success is to start from scratch and keep on scratching.------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users
lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]