portrange

Just curious - why doesn't snort support the BPF portrange expression,
where it otherwise seems to match up with tcpdump's expression syntax
exactly?   This would be extremely useful for sites that e.g. have their
ftpaccess files set so that all passive ports are opened in a certain
range - then you could do 

snort -A fast -i br0 not dst portange XXX-XXXX

rather than having to do "not dst port X and not dst port X+1 and ..."
which, on my box, with 1000 ports, makes snort start rather slowly. 

BTW, here is the error I get when I try to use the portrange option.  
Maybe it's my version of pcap?  (I don't think so because the same
expression works fine in tcpdump).

ERROR: OpenPcap() FSM compilation failed: 
        unknown host 'portrange'

-- 
John Newman
Systems Administrator, WebXess Inc.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642