Snort mailing list archives
RE: HTTP_PORTS
From: "Chuck Holley" <cholley () fitnessquest com>
Date: Wed, 21 Apr 2004 17:08:15 -0400
I did see where I had to un comment out the web-attacks.rules file, but this still did not remedy the problem. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Wednesday, April 21, 2004 4:29 PM To: Chuck Holley; snort-users () lists sourceforge net Subject: Re: [Snort-users] HTTP_PORTS At 03:29 PM 4/21/2004, Chuck Holley wrote:
I have a lot of web sites, on which I use many ports. I am a little confused on how to variable these in the conf. Var HTTP_PORTS Include somefile.rules What does that mean. Am I suuposed to write a custom rule? Do I have to name the variable for another port something other than HTTP_PORTS? In the conf they have HTTP_PORTS for 8080 and 80.
You don't need to write a custom rule. However, you do need to repeatedly include the same rulefiles over and over again, once for each port. For example if I wanted web-attacks.rules to be used for ports 80, 8080 and 88, I'd do this: var HTTP_PORTS 80 include web-attacks.rules var HTTP_PORTS 8080 include web-attacks.rules var HTTP_PORTS 88 include web-attacks.rules The reason for the duplication is based in the fundamental structure of snort rules. At present a singe rule cannot be written that accepts an arbitrary list of ports. You can do a port, a range of ports (ie: 20:80) or a negation of either, but no discontinuous lists are possible (ie: 80,88,8080 is not a valid port specification). ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP_PORTS Chuck Holley (Apr 21)
- Re: HTTP_PORTS Matt Kettler (Apr 21)
- RE: HTTP_PORTS Chuck Holley (Apr 21)
- RE: HTTP_PORTS Chuck Holley (Apr 21)
- Re: HTTP_PORTS Matt Kettler (Apr 21)