Snort mailing list archives

Re: Proper Method and/or Place to Declare HTTP_SERVERS port?

From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Thu, 09 May 2002 13:18:08 +0000

OK, here is what I have done so far. Thanks again to all
of you for your help and/or comments.

1. I've added a new variable named HTTP_SERVERS_PORT
  to all of my snort.conf files, I have 8 on one box.

2. I've changed every instance of 80, when it referred
  to this port number, in *all* of my rules files to
  read $HTTP_SERVERS_PORT.

3. Some of my snort.conf files have var HTTP_SERVERS_PORT set
  to 8180, others have this set to 80 since we also have
  "normal" servers running at some locations.

4. Does anyone else besides me think that this should be a
  permanent change to the rules and snort.config files?
  Defaulting to port 80 of course.

My questions to my setup,

a. How do I declare NO HTTP_SERVERS at all? In other words,
  I want to know whenever someone tries to make an attempt
  to port 80 or even SMTP/SQL, since I do not have these
  services running at that particuliar level and I want to
  know of attempts to use them?

b. How do I add services, I have about 100 of these, which are
  permitted, for example OK from aaa.bbb.ccc.ddd/32 port 12345
  to $HOME_NET or ONE particuliar IP? Basically, I want to
  convert my cisco routers acl to match my snort rulesets.

c. Am I ruining anything by having my ports changed to port
  8180? By the way, 8180 is my proxy server, perhaps just add
  this variable instead?

Thank you all,

Vadim

From: Erek Adams <erek () theadamsfamily net>
Subject: Re: [Snort-users] Proper Method and/or Place to DeclareHTTP_SERVERS port?
Date: Wed, 8 May 2002 14:06:09 -0700 (PDT)

On Wed, 8 May 2002, Vadim Pushkin wrote:
> I am using port 8180 versus port 80. I would prefer not messing aroundwith> all of the rules files. I've noticed that the rules files themselvesspecify> port 80, but my servers are listening on port 8180. Is there a way tochange
> this in the snort.conf file? I've tried setting:
>
> preprocessor http_decode: 8180 -unicode -cginull
>
> but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.

And you will continue to.  :)
The http_decode preprocessor has _nothing_ to do with the rules. Itstrictly
deals with 'normalizing' the URLs before snort runs them thru the rulesets.

You'll need to manually (or via a script) change port 80 in each of the
*.rules to port 8180.

Erek Adams



_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Matt Kettler (May 08)
- <Possible follow-ups>
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
  - Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 09)