Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Port agnostic application layer protocol identification and parsing

From: Miso Patel <miso.patel () gmail com>
Date: Fri, 18 Nov 2011 10:42:18 -0600
I know Snort can do application layer parsing of certain protocols
like HTTP, FTP, SMTP, etc. but can Snort identify these across all
ports or do you have to specify specific ports?  I saw in snortconf
that you specify ports for server in http_inspect. I suppose one could
specify all 65,536 ports to look on but does that impact performance?
Has anyone tried this?

Sometimes I worry people will set up a FTP server or HTTP proxy at
home on an ephemeral port like 65535 and we won't see it and they can
bypass web filters and firewalls.

Thank you.

Miso, CISO

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: