[Discussion] Non-combinatoric IP/port lists

• Previous message (by thread): [Discussion] Non-combinatoric IP/port lists
• Next message (by thread): [Discussion] Non-combinatoric IP/port lists
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Jonkman wrote:

> Martin, can you elaborate on this one? Not sure what you're getting at.
> 
> Non-combinatoric IP/port lists

Currently, we have blacklist-based rules that look like

     alert tcp [$HOME_NET,!$DNS_SERVERS,!$SMTP_SERVERS] [!$HTTP_PORTS,25] -> [<long IP list>] ...

but clearly the IP/port pairing is combinatoric.  The problem is that
the current rule syntax cannot succinctly express more precise sets of
IP/port bindings without increasing the number of (implicitly
duplicated) rules.  Alternatively I'd like to define some named
IP/port set, and then reference it.  E.g.,

     alert tcp $MY_IP_PORT_BINDING -> [<long IP list>] ...

      Cheers!

      ...Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090205/6bb59c8f/attachment.bin>

• Previous message (by thread): [Discussion] Non-combinatoric IP/port lists
• Next message (by thread): [Discussion] Non-combinatoric IP/port lists
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]