Snort mailing list archives

Re: shellcode_ports

From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 24 May 2006 11:58:17 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You must specify a different rule include after each port specification.
 The example in the Snort.conf is correct.

Joel

Gentoo-Wally wrote:

Is there a better way to define SHELLCODE_PORTS other than !80?

All the sig's using this var show..

$EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  any

If we really want to look for shellcode to any port from every port
but 80 then why not on 80 also? Or why not also exclude 8080 and 443
(or any other encrypted ports like 22)

Assuming this works the same way as HTTP_PORTS...

var SHELLCODE_PORTS !80
var SHELLCODE_PORTS !8080
var SHELLCODE_PORTS !443
var SHELLCODE_PORTS !22

Or even
var SHELLCODE_PORTS !80
var SHELLCODE_PORTS !8080
var SHELLCODE_PORTS !443
var SHELLCODE_PORTS !22
var EXCLUDE !22
var EXCLUDE !443

and rewriting these sigs with oinkmaster to be...

$EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  $EXCLUDE

Since looking for shellcode on encrypted traffic is kind of a waste of
time, right?

What are others doing for this?

This brings up another point...

the snort.conf shows defining these port options for multiple ports like
this...

## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules

is specifying an include after each port defined necessary or is the
following adequate?

var HTTP_PORTS 80
var HTTP_PORTS 8080
...
include somefile.rules

using snort 2.4.4

Thx,
Wally


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr
1uzYL7J529eS/9i0/3QSv9Y=
=CbcJ
-----END PGP SIGNATURE-----


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

shellcode_ports Gentoo-Wally (May 24)
- Re: shellcode_ports Joel Esler (May 24)
  - Re: shellcode_ports Gentoo-Wally (May 24)
    - Re: shellcode_ports Leon Ward (May 25)