Snort mailing list archives
Re: Fw: ports
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 05 Jan 2005 14:29:44 -0500
As per the FAQ (4.26), you cannot do this yet. Snort supports single ports, ranges of ports, or negations of either. It does not support lists of ports.
If you need lists of ports, just duplicate the rules.This isn't any less efficient, since even if snort did support port lists, all it would do would be internally create two rule entries in the rule structures anyway. (AFAIK this is what it does for comma-separated IP lists.) Snort's internal structure would make supporting discontinuous ranges in a single RTN slower than having multiple RTNs. You'd save memory, but kill yourself in CPU cycles to traverse the RTN list, which turns into packet drop rate.
If you've got a lot of rules, put them all in a file and use a variable and include the rulefile twice, changing the variable inbetween:
var MAIL_PORT 25 include $RULE_PATH/local_mail.rules var MAIL_PORT 110 include $RULE_PATH/local_mail.rules At 12:45 AM 1/5/2005, reynald wrote:
----- Original Message ----- From: <mailto:rtm () cybees com>reynald To: <mailto:snort-sigs () lists sourceforge net>snort-sigs () lists sourceforge net Cc: <mailto:rtm () cybees com>Reynald Mahinay Sent: Wednesday, January 05, 2005 11:49 AM Subject: ports Hello,How can i define a list of ports? eg. 25,110 doesn't work... Now i know snort can doport ranging, but how about a specific list of ports only. please help..thanks reynald
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fw: ports reynald (Jan 04)
- Re: Fw: ports Matt Kettler (Jan 05)
- Re: ports Andreas Östling (Jan 05)
- Re: Fw: ports Jason (Jan 05)
- Re: Fw: ports Matt Kettler (Jan 05)