Snort mailing list archives
Re: proper usage of $SHELLCODE_PORTS ?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 22 Apr 2002 10:01:12 -0400
We donĀ¹t support port sets at this time, only ranges and negation. Check out the writing Snort rules document: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.4 Port sets will be included in 2.0. -Marty On 4/21/02 9:58 PM, "larosa, vjay" <larosa_vjay () emc com> wrote:
Correct me if I am wrong but I think this would be the syntax, var SHELLCODE_PORTS ![80,9100,119] Can anybody provide confirmation? vjl -----Original Message----- From: Jon Hart [mailto:jhart () ccs neu edu] Sent: Sunday, April 21, 2002 5:40 PM To: snort-users () lists sourceforge net Subject: [Snort-users] proper usage of $SHELLCODE_PORTS ? Good afternoon, After upgrading to 1.8.6 a few weeks ago, I've really come to love the SHELLCODE_PORTS variable that was tossed into the ruleset. Since the default of "!80" still leaves a ton of false positives for me (yay NFS!), I've tried to axe out some troublesome ports by using the following directive: var SHELLCODE_PORTS !80 and !515 and !9100 and !119 Whether or not that declaration is correct for $SHELLCODE_PORTS is not clean to me, but snort seems to parse it just fine. Unfortunately, I just noticed a bunch of x86 NOOPS get detected on port 119, so I'm starting to think that my declaration is incorrect. I've seen examples where people look for potential shellcode on specific ports, but I want to listen everywhere and ignore the heavy talkers. I've tried setting SHELLCODE_PORTS like I do some of the the other variables I've got, but that doesn't seem to work. i.e., the following host declaration works: var HOME_NET [a.b.c.0/24,a.b.d.0/24,a.b.e.0/24] var NOT_HOME_NET !HOME_NET ...but I couldn't get something similar to work with ports. All I could find in the man page / users-guide were port ranges -- 1024:2049, 1024:, :1024 etc. Any suggestions as to how I can get this to work? Example configs would be great... thanks in advance, -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- <Possible follow-ups>
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 21)
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- Message not available
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 22)
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- Re: proper usage of $SHELLCODE_PORTS ? Martin Roesch (Apr 22)
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 22)