Hi,
I want to write a SNORT rules.
I want to make an alert if the input traffic is different from the port
"i" and the port "j". (for examle port 80 and port 443). So I use these
rules:
alert tcp any any -> 192.168.1.0/24 !80 (msg"query different from port
80";)
alert tcp any any -> 192.168.1.0/24 !443 (msg"query different from
port 443";)
But if I receive a query to a port different from 80 and 443, this
manner of writing rules will generate me 2 alertes at the same time.
Is ther any manner to rewrite these rules in order to get just one rule
and thus only one alert?
I know that the following manner is false, but it's juste an example to
explain what I want to get:
alert tcp any any -> 192.168.1.0/24 ![80 AND 443] (msg"query different
from port 80 and 443";)
Thanks.
(Linx)
