Re: ports

[Andreas Östling <andreaso () it su se>]

On Wed, 5 Jan 2005, Matt Kettler wrote:
...
> This isn't any less efficient, since even if snort did support port lists, 
> all it would do would be internally create two rule entries in the rule 
> structures anyway.  (AFAIK this is what it does for comma-separated IP 
> lists.) Snort's internal structure would make supporting discontinuous 
> ranges in a single RTN slower than having multiple RTNs. You'd save memory, 
> but kill yourself in CPU cycles to traverse the RTN list, which turns into 
> packet drop rate.
...

The port list issue has been discussed many times before, here are some 
pointers:

http://marc.theaimsgroup.com/?l=snort-users&m=107368796627596&w=2
http://marc.theaimsgroup.com/?l=snort-devel&m=107282430014686&w=2
http://marc.theaimsgroup.com/?l=snort-devel&m=107341476419431&w=2

I created a trivial patch a long time ago so you could specify port lists 
that simply expanded to multiple rules. This is obviously not the best 
way to do things, although it could be useful in some cases as real port 
lists are not yets supported. I can update the patch so it applies on 
recent Snort versions if anyone cares.

Another workaround to achieve the same thing is to do some rules cloning 
with Oinkmaster if you want to modify existing rules on the fly, e.g. copy 
a rule once for each port you want to add and replace the port/sid in each 
new rule.

/Andreas


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users