Snort mailing list archives
Re: http ports defined twice in snort.conf - portvar and http_inspect
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Sep 2011 17:14:49 -0400
On Sep 12, 2011, at 4:57 PM, waldo kitty wrote:
On 9/12/2011 16:20, Eoin Miller wrote:Just wondering if it is possible to put the $HTTP_PORTS variable inside of the http_inspect preprocessor configuration instead of having to state all the port numbers again? Since the user has to define the same array of port numbers twice it probably leads to some weird coverage situations. A user who updates their "portvarmy understanding that that these are for two different usages but i forget the details and cannot locate the clarification i received some time ago :( however, i, too, have thought the same thing in the past... that's how i came by the clarification i speak of...$HTTP_PORTS" may not update the separate "ports {}" list inside of http_inspect preprocessor. Maybe just have the preproc use $HTTP_PORTS by default and not include the line in the VRT snort.conf? That way if people wanted to they could always override it later by manually specifying it.
To further answer the question, you can't include a variable in a preprocessor. That's why we just "don't do it". Instead of coding a fix to that problem, we want to fix the entire problem all at once. That's what I was referring to in my previous email. J ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http ports defined twice in snort.conf - portvar and http_inspect Eoin Miller (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect Joel Esler (Sep 12)
- Re: http ports defined twice in snort.conf - portvar and http_inspect waldo kitty (Sep 12)