Snort mailing list archives
Re: http ports defined twice in snort.conf - portvar and http_inspect
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 12 Sep 2011 16:57:37 -0400
On 9/12/2011 16:20, Eoin Miller wrote:
Just wondering if it is possible to put the $HTTP_PORTS variable inside of the http_inspect preprocessor configuration instead of having to state all the port numbers again? Since the user has to define the same array of port numbers twice it probably leads to some weird coverage situations. A user who updates their "portvar
my understanding that that these are for two different usages but i forget the details and cannot locate the clarification i received some time ago :( however, i, too, have thought the same thing in the past... that's how i came by the clarification i speak of...
$HTTP_PORTS" may not update the separate "ports {}" list inside of
http_inspect preprocessor. Maybe just have the preproc use $HTTP_PORTS
by default and not include the line in the VRT snort.conf? That way if
people wanted to they could always override it later by manually
specifying it.
Network Variables section of VRT's snort.conf:
---SNIP---
portvar HTTP_PORTS
[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
---SNIP---
http_inspect section of VRT's snort.conf:
---SNIP---
ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118
8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371
55555 } \
---SNIP---
------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http ports defined twice in snort.conf - portvar and http_inspect Eoin Miller (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)