Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: multiple port variable fun

From: "Jeffrey Denton" <dentonj () gmail com>
Date: Wed, 4 Jul 2007 09:17:45 +0200
On 7/3/07, Ryan Hudson <ryan () mydingo net au> wrote:

Do you mean put that in snort.conf?  Because when i tried that it just
thought you were reading the same rules files multiple times and failed as
the same pid's were being used multiple times. And the http_ports variable
was over-written 3 times.

-----Original Message-----
From: Leon Ward [mailto:seclists () rm-rf co uk]
Sent: Wednesday, 4 July 2007 3:27 AM
To: ryan () mydingo net au
Subject: Re: [Snort-users] multiple port variable fun

Hi

var HTTP_PORTS 80
include http.rules
var HTTP_PORTS 8082
include http.rules
var HTTP_PORTS 3001


include http.rules


Yeap, the SIDs will cause problems.  Barnyard and Oinkmaster wouldn't
play nice either.  One possible solution is to create separate rules
files for each port.  This looks ugly...

var HTTP_PORTS 8082
include $RULE_PATH/web-attacks_port_8082.rules
include $RULE_PATH/web-cgi_port_8082.rules
include $RULE_PATH/web-client_port_8082.rules
include $RULE_PATH/web-coldfusion_port_8082.rules
include $RULE_PATH/web-frontpage_port_8082.rules
include $RULE_PATH/web-iis_port_8082.rules
include $RULE_PATH/web-misc_port_8082.rules
include $RULE_PATH/web-php_port_8082.rules
include $RULE_PATH/bleeding-web_port_8082.rules

var HTTP_PORTS 3001
include $RULE_PATH/web-attacks_port_3001.rules
include $RULE_PATH/web-cgi_port_3001.rules
include $RULE_PATH/web-client_port_3001.rules
include $RULE_PATH/web-coldfusion_port_3001.rules
include $RULE_PATH/web-frontpage_port_3001.rules
include $RULE_PATH/web-iis_port_3001.rules
include $RULE_PATH/web-misc_port_3001.rules
include $RULE_PATH/web-php_port_3001.rules
include $RULE_PATH/bleeding-web_port_3001.rules

var HTTP_PORTS 80
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/bleeding-web.rules


You have to change the SIDs in each of the "port_8082" and "port_3001"
files to something unique.

Another problem would be keeping the rules for the other port files up to date.

A quick search through the ChangeLog of 2.7.0 RC2 didn't turn up
anything to indicate that HTTP_PORTS was fixed to accept multiple
ports.  The sample snort.conf file still includes, "We will adding
support for a real list of ports in the future."  The only mention of
HTTP_PORTS in the source code is a define statement in
sf_snort_plugin_api.h.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: