Re: How to use a list of ports but not a range?

[Dragos Ruiu <dr () kyx net>]

I've looked into the guts of the parser there, and it currently only takes
a max and min port range as opposed to a list of ports.  This too can be
changed.  The workaround (which is almost identical in the result it
has on internal processing in practice, though uglyer to read) is to write
mutliple rules for each range of ports.

A port list is not actually that unreasonable a request. I keep muttering 
stuff about patching a few things in the parser, but maybe Marty will
get to it before I do as I have to fix up defrag things first. (though he's
bitten more work off there with stream4...) But before a port list, I'd 
rather have a better HTTP normalizer for all these fancy newangled 
url attacks that seem to keep cropping up...  Don't mind me... just
muttering outloud. :-)

cheers,
--dr

On Wed, 11 Jul 2001, Kohlenberg, Toby wrote:
> I'm trying to figure out how to write a rule that will allow me to
> specify more than one port but not all the ones in between (e.g. the
> ":" syntax won't work). The problem I'm running into is that a
> number of rules keep falsing against our HTTPS site, which uses 443.
> I've searched the docs but can't find any reference to whether the
> list functionality that exists for addresses also exists for ports.
>
> I'm toying with the idea of re-writing the rules as "activate" and then
> activating an identical rule with the port changed, but that seems like
> a clumsy way of doing it.
>
> Any suggestions? Did I miss something obvious?
>
> Thanks,
> Toby

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users