Port Numbers
The port numbers in a rule header tell Snort to apply a given rule to traffic sent from or sent to the specified source and destination ports.
Ports are declared in a few different ways:
- As
anyports (meaning match traffic being sent from or to any port) - As a static port (e.g.,
80,445,21) - As a variable defined in the Snort config that specifies a port or set of ports (e.g.,
$HTTP_PORTS) - As port ranges indicated with the range operator,
:(e.g.,1:1024,500:) - A list of static ports, port variables, and/or port ranges, enclosed in square brackets and separated by commas (e.g.,
[1:1024,4444,5555,$HTTP_PORTS])
A rule header should have two port declarations, one to define the source ports and another to define the destination ports. Source and destination ports are declared after the source and destination IP addresses, respectively.
An important thing to note, however, is that the ports specified in the rule header do not have to match the ports being used in the traffic if a service specified in the service rule option matches the service of the given traffic. For instance, if service:http is set in a rule, then Snort will apply that rule to all HTTP traffic detected, even if that traffic is being sent to a port that is not included in the rule's destination port list.
If on the other hand you want to look for a particular service AND a specific port or multiple ports, then you should specify a service in the "traditional" rule header as mentioned in the protocols page.
Note: Port declarations can also be negated by placing
!before them.
Examples:
# log udp traffic coming from any source port and destination ports
# ranging from 1 to 1024
log udp any any -> 192.168.1.0/24 1:1024 (
# log tcp traffic from any port going to ports less than or equal to 6000
log tcp any any -> 192.168.1.0/24 :6000 (
# log tcp traffic from privileged ports less than or equal to 1024 going
# to ports greater than or equal to 500
log tcp any :1024 -> 192.168.1.0/24 500: (