Re: RE: [Snort-sigs] ports

[Jason <security () brvenik com>]

> > - If you knew the proper answer why didn't you provide it in your first
> > reply?
>
>
> The completely proper answer is that, AFAIK, if you want to do the same
> content etc. checks on two or more non-contiguous ports, you cannot do it
> with one rule, it must be done with multiple rules.  There are several ways
> to cause snort to see multiple rules.  The most basic method is to simply
> write multiple rules.  A slightly more elegant, but still kludgy, method is
> described in the FAQ (4.27).  I didn't realize that Joel was attempting to
> explain what the FAQ said until you pointed out what he may have meant.  It
> then became clear that there was a more proper answer.  And I'm not even
> sure that it really is a proper answer.  The original poster didn't specify
> whether he has a single rule that he wants to apply a port list to, or a
> whole bunch of them.  If it's a single rule, then, IMHO, it's better to have
> multiple instances of the rule, one for each port.  If it's a whole bunch of
> rules, then it makes more sense to me to use the method from the FAQ, put
> them all in one rule file, and have multiple includes with variable
> re-definitions between them.  Functionally, it's the same either way, it's
> just a matter of rule file maintainability and cleanliness.

Now that is worth reading. More replies should go to this level of detail.

To be fair, it is not exactly clear how to do this in the FAQ [0] 
either. You have to combine question 4.26 with 4.27 to get the complete 
picture.

-- snip --
4.26 How can I specify a list of ports in a rule?

You can't yet. You can specify a range of ports between X and Y With the
notation X:Y. See the users manual^[*] for more info on port ranges.

4.27 How can I protect web servers running on ports other than 80?

It is possible... It's a kludge, but it can work. Since the newer rules 
use $HTTP_PORTS variable, you simply reset it and re-run the rules for 
the other ports.

For example:

    var HTTP_PORTS 80

    include web.rules

    var HTTP_PORTS 8080

    include web.rules


-- snip --

> > - Thx for playing.
>
>
> always a pleasure.

:-)


[0] - http://www.snort.org/docs/FAQ.txt


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users