i read somewhere wasnt possible specify multiple ports exclude shellcode correct? if not following correct?
list of ports want shellcode on.
portvar shellcode_ports ![21,25,80,143,587,8889]
im using snort 2905
thanks
try it. if snort doesn't syntax, should throwback fatal parsing error. believe, though, syntax better implemented as:
portvar shellcode_ports [21,25,80,143,587,8889] i.e., without negation, , used in rule thus:
alert tcp any <> !shellcode_ports ( ... ) you do:
portvar shellcode_ports [!21,!25,!80,!143,!587,!8889] which should valid syntax. haven't tested, though. ymmv.
Comments
Post a Comment