Re: shellcode_ports

[Leon Ward <leon.ward () sourcefire com>]

Hi,

If a packet is destined to TCP:80 then it will only be run through  
the HTTP_PORTS 80 rule set.
If the packet is destined to TCP:8080 it will be run through the  
HTTP_PORTS 8080 rules and not the HTTP_PORTS 80 rules.

Take a look at :  "Snort 2.0 - Multi-Rule Inspection Engine" and  
"Snort 2.0 - Rule Optimizer" papers available on snort.org for full  
information.

Regards,

Leon


On 24 May 2006, at 18:09, Gentoo-Wally wrote:

> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
> include somefile.rules
>
> ouch, so a packet would have to be compared to any sig's in
> somefile.rules twice?
>
> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
>
> That should work right? It should then pickup the normal includes at
> the bottom of the snort.conf (as long as somefile.rules exsisted at
> the bottom also)?
>
> If you did a ...
>
> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
> include somefile.rules
>
> ....
>
> include somefile.rules
>
> Then would it then compare a single packet 3 times (once as 80 and
> twice as 8080)?
>
> Wally
>
> On 5/24/06, Joel Esler <joel.esler () sourcefire com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You must specify a different rule include after each port  
> > specification.
> >  The example in the Snort.conf is correct.
> >
> > Joel
> >
> > Gentoo-Wally wrote:
> > > Is there a better way to define SHELLCODE_PORTS other than !80?
> > >
> > > All the sig's using this var show..
> > >
> > > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  any
> > >
> > > If we really want to look for shellcode to any port from every port
> > > but 80 then why not on 80 also? Or why not also exclude 8080 and  
> > 443
> > > (or any other encrypted ports like 22)
> > >
> > > Assuming this works the same way as HTTP_PORTS...
> > >
> > > var SHELLCODE_PORTS !80
> > > var SHELLCODE_PORTS !8080
> > > var SHELLCODE_PORTS !443
> > > var SHELLCODE_PORTS !22
> > >
> > > Or even
> > > var SHELLCODE_PORTS !80
> > > var SHELLCODE_PORTS !8080
> > > var SHELLCODE_PORTS !443
> > > var SHELLCODE_PORTS !22
> > > var EXCLUDE !22
> > > var EXCLUDE !443
> > >
> > > and rewriting these sigs with oinkmaster to be...
> > >
> > > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  $EXCLUDE
> > >
> > > Since looking for shellcode on encrypted traffic is kind of a  
> > waste of
> > > time, right?
> > >
> > > What are others doing for this?
> > >
> > > This brings up another point...
> > >
> > > the snort.conf shows defining these port options for multiple  
> > ports like
> > > this...
> > >
> > > ## var HTTP_PORTS 80
> > > ## include somefile.rules
> > > ## var HTTP_PORTS 8080
> > > ## include somefile.rules
> > >
> > > is specifying an include after each port defined necessary or is  
> > the
> > > following adequate?
> > >
> > > var HTTP_PORTS 80
> > > var HTTP_PORTS 8080
> > > ...
> > > include somefile.rules
> > >
> > > using snort 2.4.4
> > >
> > > Thx,
> > > Wally
> > >
> > >
> > > -------------------------------------------------------
> > > All the advantages of Linux Managed Hosting--Without the Cost  
> > and Risk!
> > > Fully trained technicians. The highest number of Red Hat  
> > certifications in
> > > the hosting industry. Fanatical Support. Click to learn more
> > > http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> > >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (Darwin)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr
> > 1uzYL7J529eS/9i0/3QSv9Y=
> > =CbcJ
> > -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and  
> Risk!
> Fully trained technicians. The highest number of Red Hat  
> certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users