RE: Proper Method and/or Place to Declare HTTP_SERV ERS port?

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

Actually, I think it would be a wonderful idea for the entire set of snort
sigs that contain source or dest port as 80 to be change to a variable.
We've also set up several other variables based on the fact that different
services have different ports in varying parts of our network... so one
hard-coded port wouldn't work for us.   It's worked out very well. 

-----Original Message-----
From: Vadim Pushkin [mailto:wiskbroom () hotmail com] 
Sent: Wednesday, May 08, 2002 4:18 PM
To: erek () theadamsfamily net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Proper Method and/or Place to Declare
HTTP_SERVERS port?

In this case I will create another var, say
var HTTP_SERVERS_PORT, set it to 8180 and
change 80 in the rules files to $HTTP_SERVERS_PORT.
Does anyone see a problem with this?

Thanks again,

Vadim


> From: Erek Adams <erek () theadamsfamily net>
> To: Vadim Pushkin <wiskbroom () hotmail com>
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Proper Method and/or Place to Declare 
> HTTP_SERVERS port?
> Date: Wed, 8 May 2002 14:06:09 -0700 (PDT)
>
> On Wed, 8 May 2002, Vadim Pushkin wrote:
>
> > I am using port 8180 versus port 80. I would prefer not messing around 
> with
> > all of the rules files. I've noticed that the rules files themselves 
> specify
> > port 80, but my servers are listening on port 8180. Is there a way to 
> change
> > this in the snort.conf file? I've tried setting:
> >
> > preprocessor http_decode: 8180 -unicode -cginull
> >
> > but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>
> And you will continue to.  :)
>
> The http_decode preprocessor has _nothing_ to do with the rules.  It 
> strictly
> deals with 'normalizing' the URLs before snort runs them thru the rulesets.
>
> You'll need to manually (or via a script) change port 80 in each of the
> *.rules to port 8180.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users