Re: shellcode error

["Hugo Ferr" <snortgrp () hotmail com>]

Just out of curiosity - why !80, I was getting quite a lot of false
positives for shellcode on port 80, is that the number of false positives is
the reason for !80?

----- Original Message -----
From: "Erek Adams" <erek () theadamsfamily net>
To: "Hugo Ferr" <snortgrp () hotmail com>
Cc: "Got Snort?" <snort-users () lists sourceforge net>
Sent: Friday, May 31, 2002 12:02 AM
Subject: Re: [Snort-users] shellcode error


> On Thu, 30 May 2002, Hugo Ferr wrote:
>
> > I would like to have some understanding regarding the following:
> > 1. Why should I define ports for shellcode rules?
>
> Think in terms of maintence and coding.  If you can parse a variable, and
you
> have it in 500 places, you change one place and all 500 change.  If you
need
> to change one rule, it's "easier" to work with the exceptions than with
the
> "rule".  The old 'hit the larger target' idea...
>
> > 2. What is the exact syntax? (var $SHELLCODE_PORTS)
>
> [root@foofus]/local/build/snort#grep SHELLCODE snort.conf
> # Ports you want to look for SHELLCODE on.  (By default, not port 80)
> var SHELLCODE_PORTS !80
>
> > P.S> I 'm big fan snort of snort, but I really feel like documentaion
should
> > be improved. (Or is it a topic for mail list dedicated for rants :-) ?)
>
> As for improvements, we're all ears.  I'd suggest another thread on this
and
> have you explain what you mean a bit more.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users