Snort mailing list archives
Re: http ports defined twice in snort.conf - portvar and http_inspect
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Sep 2011 17:13:23 -0400
On Sep 12, 2011, at 4:20 PM, Eoin Miller wrote:
Just wondering if it is possible to put the $HTTP_PORTS variable
inside of the http_inspect preprocessor configuration instead of
having to state all the port numbers again? Since the user has to
define the same array of port numbers twice it probably leads to some
weird coverage situations. A user who updates their "portvar
$HTTP_PORTS" may not update the separate "ports {}" list inside of
http_inspect preprocessor. Maybe just have the preproc use $HTTP_PORTS
by default and not include the line in the VRT snort.conf? That way if
people wanted to they could always override it later by manually
specifying it.
Network Variables section of VRT's snort.conf:
---SNIP---
portvar HTTP_PORTS
[80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]
---SNIP---
http_inspect section of VRT's snort.conf:
---SNIP---
ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118
8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371
55555 } \
---SNIP---
Eoin, Thanks for the suggestion. As you well know, it's two different things. However, yes, we are working on a solution. I don't have a release or date for you to look for yet, but yes, we are working on "redesigning" this (and many other) sections of how Snort and it's snort.conf works. Joel ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http ports defined twice in snort.conf - portvar and http_inspect Eoin Miller (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)