Ports, Direction operator – Force10 Networks PSeries 100-00055-01 User Manual
Page 65
P-Series Installation and Operation Guide, version 2.3.1.2
65
Ports
Port numbers may be specified by the keyword any, a single port number, ranges, and by negation. any
specifies any port. Static ports are indicated by a single port number, for example, 23 for Telnet. Port
ranges can be specified using a colon as a range operator. It can be applied in three ways, as shown by
.
•
A colon between two port numbers indicates all ports between those ports, including the specified
ports.
•
A colon before a port number indicates all ports less than or equal to the specified port.
•
A colon after a port number indicates all ports greater than or equal to the specifed port.
The negation operator can also be used in combination with port numbers. The rule in
logs all
TCP traffic destined for ports other than port 6000 on the local network.
Direction Operator
The direction operator,
->
, indicates direction of the traffic to which the rule applies. The source IP address
and port are on the left side of the direction operator, and the destination address and port are on the right
side of the operator.
There is also a bidirectional operator,
<>
. This directs Snort to consider traffic originating from either of
the specified addresses and ports. This operator can be used for analyzing both sides of a conversation. An
example of the bidirectional operator being used to record both sides of a Telnet session is shown in
.
Table 15 Rules Containing the Port Number Range Operator
log udp any any -> 192.168.1.0/24 1:1024 log udp
log tcp any any -> 192.168.1.0/24 :6000
log tcp any :1024 -> 192.168.1.0/24 500:
Table 16 Rules Containing the Port Number Negation Operator
log tcp any any -> 192.168.1.0/24 !6000:6000
Note: The negation operator may not be placed before the keyword any. The ICMP protocol does not
require a port number.
Table 17 Rules Containing the Bidirectional Operator
log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23