Rule Headers
87
3.5.4.1
Port Ranges
You can also use a range of ports instead of only one port in the port field. Use a
colon to separate starting and ending port numbers. For example, the following rule will
create an alert for all UDP traffic coming from ports 1024 to 2048 from all hosts.
alert udp any 1024:2048 > any any (msg: UDP ports ;)
3.5.4.2
Upper and Lower Boundaries
While listing port numbers, you can also use only the starting port number or the
ending port number in the range. For example, a range specified as :1024 includes all
port numbers up to and including port 1024. A port range specified as 1000: will
include all ports numbers including and above port 1000.
3.5.4.3
Negation Symbol
As with addresses, you can also use the negation symbol with port numbers to
exclude a port or a range of ports from the scope of the Snort rule. The following rule
logs all UDP traffic except for source port number 53.
log udp any !53 > any any log udp
You can't use comma character in the port filed to specify multiple ports. For
example, specifying 53,54 is not allowed. However you can use 53:54 to specify a port
range.
3.5.4.4
Well Known Port Numbers
Well known port numbers are used for commonly used applications. Some of
these port numbers and their applications are listed in Table 3 1.
Table 3 1 Well Known Port Numbers
Port Number
Description
20
FTP data
21
FTP
22
SSH or Secure shell
23
Telnet
25
SMTP, used for e mail server like Sendmail
37
NTP (Network Time Protocol) used for synchronizing time on network hosts
53
DNS server
67
BootP/DHCP client
68
BootP/DHCP server
69
TFTP
80
HTTP, used for all web servers
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved