On Thursday 05 January 2006 18:45, Liloulinx wrote: > Hi, > I want to write a SNORT rules. > I want to make an alert if the input traffic is different from > the port "i" and the port "j". (for examle port 80 and port 443). > So I use these rules: > alert tcp any any -> 192.168.1.0/24 !80 (msg"query different > from port 80";) > alert tcp any any -> 192.168.1.0/24 !443 (msg"query different > from port 443";) > But if I receive a query to a port different from 80 and 443, > this manner of writing rules will generate me 2 alertes at the > same time. Is ther any manner to rewrite these rules in order to > get just one rule and thus only one alert? > I know that the following manner is false, but it's juste an > example to explain what I want to get: > alert tcp any any -> 192.168.1.0/24 ![80 AND 443] (msg"query > different from port 80 and 443";) > Thanks. > (Linx) I don't know if negated port lists are supported yet or not. I've seen a little discussion that seems to indicate that they aren't: http://marc.theaimsgroup.com/?l=snort-users&m=107368796627596&w=2 http://marc.theaimsgroup.com/?l=snort-devel&m=107282430014686&w=2 http://marc.theaimsgroup.com/?l=snort-devel&m=107341476419431&w=2 You may want to pose the question on the snort list(s). Regards, Mike Klinke
