Re: Enabling all ports on 'http_inspect_server'

["Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>]

One of the many improvements of Snort 3:

-- in your lua config
http_inspect =
{
                -- your settings
}

binder =
{
                -- put your explicit port / address -> inspector bindings here
                -- { when = { criteria }, use = { name or type = ‘name_of_inspector’ } },
                { use = { name = ‘wizard’ } } -- if nothing explicit matches, use automatic service detection
}

wizard = default_wizard -- define automatic service detection

From: Snort-users <snort-users-bounces () lists snort org> on behalf of Junaid Bohio via Snort-users <snort-users () 
lists snort org>
Reply-To: Junaid Bohio <mjbohio () gmail com>
Date: Thursday, October 25, 2018 at 10:32 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Enabling all ports on 'http_inspect_server'

Hi,

I am wondering if Snort allows to enable all ports under 'http_inspect_server' server? In case of normal HTTP traffic, 
listing few standard ports is sufficient, but in case of malware traffic the remote control server can be listening on 
any port. If a non-standard port is not listed under that config then HTTP modifiers like 'http_uri', 'http_header', 
etc. don't work. I have done various tests and it doesn't seem to be accepting port range or all ports (most likely for 
performance reasons) but i just want to verify it here.

Thank you!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette