I read somewhere that it wasn't possible to specify multiple p开发者_如何学运维orts to exclude for shellcode is that correct? if not is the following correct?

List of ports you want to look for SHELLCODE on.

portvar SHELLCODE_PORTS ![21,25,80,143,587,8889]

I'm using snort 2905

Try it. If Snort doesn't like the syntax, it should throwback a fatal parsing error. I believe, though, that syntax is better implemented as:

portvar SHELLCODE_PORTS [21,25,80,143,587,8889]

I.e., without the negation, and then used in a rule thus:

alert tcp any any <> any !SHELLCODE_PORTS ( ... )

You could also do:

portvar SHELLCODE_PORTS [!21,!25,!80,!143,!587,!8889]

Which should be valid syntax. Haven't tested, though. YMMV.

You want !$SHELLCODE_PORTS

You are missing the dollar sign.