Snort mailing list archives
Re: Fw: ports
From: Jason <security () brvenik com>
Date: Wed, 05 Jan 2005 16:16:41 -0500
There was a patch posted on -devel a while ago that did just this too. I doubt it works with the recent releases but a google of the archives should turn up the author and possibly get an updated patch.
Matt Kettler wrote:
As per the FAQ (4.26), you cannot do this yet. Snort supports single ports, ranges of ports, or negations of either. It does not support lists of ports.If you need lists of ports, just duplicate the rules.This isn't any less efficient, since even if snort did support port lists, all it would do would be internally create two rule entries in the rule structures anyway. (AFAIK this is what it does for comma-separated IP lists.) Snort's internal structure would make supporting discontinuous ranges in a single RTN slower than having multiple RTNs. You'd save memory, but kill yourself in CPU cycles to traverse the RTN list, which turns into packet drop rate.If you've got a lot of rules, put them all in a file and use a variable and include the rulefile twice, changing the variable inbetween:var MAIL_PORT 25 include $RULE_PATH/local_mail.rules var MAIL_PORT 110 include $RULE_PATH/local_mail.rules At 12:45 AM 1/5/2005, reynald wrote:----- Original Message ----- From: <mailto:rtm () cybees com>reynaldTo: <mailto:snort-sigs () lists sourceforge net>snort-sigs () lists sourceforge netCc: <mailto:rtm () cybees com>Reynald Mahinay Sent: Wednesday, January 05, 2005 11:49 AM Subject: ports Hello,How can i define a list of ports? eg. 25,110 doesn't work... Now i know snort can doport ranging, but how about a specific list of ports only. please help..thanks reynald------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fw: ports reynald (Jan 04)
- Re: Fw: ports Matt Kettler (Jan 05)
- Re: ports Andreas Östling (Jan 05)
- Re: Fw: ports Jason (Jan 05)
- Re: Fw: ports Matt Kettler (Jan 05)