Snort mailing list archives
Re: RE: [Snort-sigs] ports
From: Jason <security () brvenik com>
Date: Wed, 05 Jan 2005 16:15:06 -0500
- If you knew the proper answer why didn't you provide it in your first reply?The completely proper answer is that, AFAIK, if you want to do the same content etc. checks on two or more non-contiguous ports, you cannot do it with one rule, it must be done with multiple rules. There are several ways to cause snort to see multiple rules. The most basic method is to simply write multiple rules. A slightly more elegant, but still kludgy, method is described in the FAQ (4.27). I didn't realize that Joel was attempting to explain what the FAQ said until you pointed out what he may have meant. It then became clear that there was a more proper answer. And I'm not even sure that it really is a proper answer. The original poster didn't specify whether he has a single rule that he wants to apply a port list to, or a whole bunch of them. If it's a single rule, then, IMHO, it's better to have multiple instances of the rule, one for each port. If it's a whole bunch of rules, then it makes more sense to me to use the method from the FAQ, put them all in one rule file, and have multiple includes with variable re-definitions between them. Functionally, it's the same either way, it's just a matter of rule file maintainability and cleanliness.
Now that is worth reading. More replies should go to this level of detail.To be fair, it is not exactly clear how to do this in the FAQ [0] either. You have to combine question 4.26 with 4.27 to get the complete picture.
-- snip -- 4.26 How can I specify a list of ports in a rule? You can't yet. You can specify a range of ports between X and Y With the notation X:Y. See the users manual^[*] for more info on port ranges. 4.27 How can I protect web servers running on ports other than 80?It is possible... It's a kludge, but it can work. Since the newer rules use $HTTP_PORTS variable, you simply reset it and re-run the rules for the other ports.
For example: var HTTP_PORTS 80 include web.rules var HTTP_PORTS 8080 include web.rules -- snip --
- Thx for playing.always a pleasure.
:-) [0] - http://www.snort.org/docs/FAQ.txt ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] ports Esler, Joel - Contractor (Jan 05)
- RE: [Snort-sigs] ports Joe Patterson (Jan 05)
- Re: RE: [Snort-sigs] ports Jason (Jan 05)
- RE: RE: [Snort-sigs] ports Joe Patterson (Jan 05)
- Re: RE: [Snort-sigs] ports Jason (Jan 05)
- RE: RE: [Snort-sigs] ports Joe Patterson (Jan 05)
- Re: RE: [Snort-sigs] ports Jason (Jan 05)
- Re: RE: [Snort-sigs] ports Jason (Jan 05)
- RE: [Snort-sigs] ports Joe Patterson (Jan 05)
- SFS 1.0.2 released Ophir Rachman (Jan 05)
- <Possible follow-ups>
- RE: RE: [Snort-sigs] ports Esler, Joel - Contractor (Jan 05)