[Oisf-devel] UDP rule triggering on wrong port

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Mar 30 14:05:23 UTC 2011

On 30/03/11 15:00, Victor Julien wrote:

>>> alert udp $HOME_NET any -> $EXTERNAL_NET 1024: ...
>> which should only match on destination port 1024.
> Actually, no. 1024: is a short way of writing 1024 and up. So it should
> match on any unprivileged port: 1024-65535.

Ah! You know, I'd not even noticed the ":"! OK, I guess I better just
disable the rule for too many false positives (at least while we don't
have the resources to crack down on filesharers unless we get a
take-down request).

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list