Snort mailing list archives
Re: Proper Method and/or Place to Declare HTTP_SERVERS port?
From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Thu, 09 May 2002 13:18:08 +0000
OK, here is what I have done so far. Thanks again to all of you for your help and/or comments. 1. I've added a new variable named HTTP_SERVERS_PORT to all of my snort.conf files, I have 8 on one box. 2. I've changed every instance of 80, when it referred to this port number, in *all* of my rules files to read $HTTP_SERVERS_PORT. 3. Some of my snort.conf files have var HTTP_SERVERS_PORT set to 8180, others have this set to 80 since we also have "normal" servers running at some locations. 4. Does anyone else besides me think that this should be a permanent change to the rules and snort.config files? Defaulting to port 80 of course. My questions to my setup, a. How do I declare NO HTTP_SERVERS at all? In other words, I want to know whenever someone tries to make an attempt to port 80 or even SMTP/SQL, since I do not have these services running at that particuliar level and I want to know of attempts to use them? b. How do I add services, I have about 100 of these, which are permitted, for example OK from aaa.bbb.ccc.ddd/32 port 12345 to $HOME_NET or ONE particuliar IP? Basically, I want to convert my cisco routers acl to match my snort rulesets. c. Am I ruining anything by having my ports changed to port 8180? By the way, 8180 is my proxy server, perhaps just add this variable instead? Thank you all, Vadim
From: Erek Adams <erek () theadamsfamily net>Subject: Re: [Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?Date: Wed, 8 May 2002 14:06:09 -0700 (PDT) On Wed, 8 May 2002, Vadim Pushkin wrote:> I am using port 8180 versus port 80. I would prefer not messing around with > all of the rules files. I've noticed that the rules files themselves specify > port 80, but my servers are listening on port 8180. Is there a way to change> this in the snort.conf file? I've tried setting: > > preprocessor http_decode: 8180 -unicode -cginull > > but I still get alarms for hosts possibly port scanning my HTTP_SERVERS. And you will continue to. :)The http_decode preprocessor has _nothing_ to do with the rules. It strictlydeals with 'normalizing' the URLs before snort runs them thru the rulesets. You'll need to manually (or via a script) change port 80 in each of the *.rules to port 8180.
Erek Adams
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Matt Kettler (May 08)
- <Possible follow-ups>
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 09)