Snort mailing list archives
Re: shellcode_ports
From: Leon Ward <leon.ward () sourcefire com>
Date: Thu, 25 May 2006 09:28:48 +0100
Hi,If a packet is destined to TCP:80 then it will only be run through the HTTP_PORTS 80 rule set. If the packet is destined to TCP:8080 it will be run through the HTTP_PORTS 8080 rules and not the HTTP_PORTS 80 rules.
Take a look at : "Snort 2.0 - Multi-Rule Inspection Engine" and "Snort 2.0 - Rule Optimizer" papers available on snort.org for full information.
Regards, Leon On 24 May 2006, at 18:09, Gentoo-Wally wrote:
var HTTP_PORTS 80 include somefile.rules var HTTP_PORTS 8080 include somefile.rules ouch, so a packet would have to be compared to any sig's in somefile.rules twice? var HTTP_PORTS 80 include somefile.rules var HTTP_PORTS 8080 That should work right? It should then pickup the normal includes at the bottom of the snort.conf (as long as somefile.rules exsisted at the bottom also)? If you did a ... var HTTP_PORTS 80 include somefile.rules var HTTP_PORTS 8080 include somefile.rules .... include somefile.rules Then would it then compare a single packet 3 times (once as 80 and twice as 8080)? Wally On 5/24/06, Joel Esler <joel.esler () sourcefire com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1You must specify a different rule include after each port specification.The example in the Snort.conf is correct. Joel Gentoo-Wally wrote: > Is there a better way to define SHELLCODE_PORTS other than !80? > > All the sig's using this var show.. > > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any > > If we really want to look for shellcode to any port from every port> but 80 then why not on 80 also? Or why not also exclude 8080 and 443> (or any other encrypted ports like 22) > > Assuming this works the same way as HTTP_PORTS... > > var SHELLCODE_PORTS !80 > var SHELLCODE_PORTS !8080 > var SHELLCODE_PORTS !443 > var SHELLCODE_PORTS !22 > > Or even > var SHELLCODE_PORTS !80 > var SHELLCODE_PORTS !8080 > var SHELLCODE_PORTS !443 > var SHELLCODE_PORTS !22 > var EXCLUDE !22 > var EXCLUDE !443 > > and rewriting these sigs with oinkmaster to be... > > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET $EXCLUDE >> Since looking for shellcode on encrypted traffic is kind of a waste of> time, right? > > What are others doing for this? > > This brings up another point... >> the snort.conf shows defining these port options for multiple ports like> this... > > ## var HTTP_PORTS 80 > ## include somefile.rules > ## var HTTP_PORTS 8080 > ## include somefile.rules >> is specifying an include after each port defined necessary or is the> following adequate? > > var HTTP_PORTS 80 > var HTTP_PORTS 8080 > ... > include somefile.rules > > using snort 2.4.4 > > Thx, > Wally > > > -------------------------------------------------------> All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat certifications in> the hosting industry. Fanatical Support. Click to learn more > http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642 > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=ort-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr 1uzYL7J529eS/9i0/3QSv9Y= =CbcJ -----END PGP SIGNATURE------------------------------------------------------------All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications inthe hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- shellcode_ports Gentoo-Wally (May 24)
- Re: shellcode_ports Joel Esler (May 24)
- Re: shellcode_ports Gentoo-Wally (May 24)
- Re: shellcode_ports Leon Ward (May 25)
- Re: shellcode_ports Gentoo-Wally (May 24)
- Re: shellcode_ports Joel Esler (May 24)