Forum Discussion
hooleylist
Feb 03, 2009Cirrostratus
I think you want to check TCP::local_port not TCP::client_port. TCP::client_port is the source port.
You can check for the ports you want to allow using this:
([TCP::local_port] >= 50000 && [TCP::local_port] <= 59999) || [TCP::local_port] == 443)
And you can logically NOT that to drop everything else:
when CLIENT_ACCEPTED {
Check requested port
if { ! (([TCP::local_port] >= 50000 && [TCP::local_port] <= 59999) || [TCP::local_port] == 443)}{
Request was to an disallowed port, so drop it
drop
}
}
Aaron