RE: Question about var SERVICE_PORTS

[Andreas Östling <andreaso () it su se>]

On Fri, 9 Jan 2004, Schmehl, Paul L wrote:

> Seems like the var SOMEPORTS [80,443,8080], var HTTP_PORTS $SOMEPORTS 
> would be the way to go.  Is there a drawback to that?  I understand how 
> your patch works, but I'd prefer not to patch snort, because then I have 
> remember to patch it again every time I upgrade.  I'm lazy and I've got 
> way too many things to do already. :-)

Hello (and thanks).
The major drawback is that negations doesn't work when you do simple 
expansion, like:
alert tcp any any -> any ![80,443,8080]

would become:
alert tcp any any -> any !80
alert tcp any any -> any !443
alert tcp any any -> any !8080

which is NOT what you want/expect :)

And then there is a possible performance issue as this creates multiple 
rules with one port in each instead of staying a single rule with 
a true port list. So it's really just simpler way of doing the include 
trick until it's fixed the real way.

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users