Snort mailing list archives
Re: multiple port variable fun
From: "Jeffrey Denton" <dentonj () gmail com>
Date: Wed, 4 Jul 2007 09:17:45 +0200
On 7/3/07, Ryan Hudson <ryan () mydingo net au> wrote:
Do you mean put that in snort.conf? Because when i tried that it just thought you were reading the same rules files multiple times and failed as the same pid's were being used multiple times. And the http_ports variable was over-written 3 times. -----Original Message----- From: Leon Ward [mailto:seclists () rm-rf co uk] Sent: Wednesday, 4 July 2007 3:27 AM To: ryan () mydingo net au Subject: Re: [Snort-users] multiple port variable fun Hi var HTTP_PORTS 80 include http.rules var HTTP_PORTS 8082 include http.rules var HTTP_PORTS 3001 include http.rules
Yeap, the SIDs will cause problems. Barnyard and Oinkmaster wouldn't play nice either. One possible solution is to create separate rules files for each port. This looks ugly... var HTTP_PORTS 8082 include $RULE_PATH/web-attacks_port_8082.rules include $RULE_PATH/web-cgi_port_8082.rules include $RULE_PATH/web-client_port_8082.rules include $RULE_PATH/web-coldfusion_port_8082.rules include $RULE_PATH/web-frontpage_port_8082.rules include $RULE_PATH/web-iis_port_8082.rules include $RULE_PATH/web-misc_port_8082.rules include $RULE_PATH/web-php_port_8082.rules include $RULE_PATH/bleeding-web_port_8082.rules var HTTP_PORTS 3001 include $RULE_PATH/web-attacks_port_3001.rules include $RULE_PATH/web-cgi_port_3001.rules include $RULE_PATH/web-client_port_3001.rules include $RULE_PATH/web-coldfusion_port_3001.rules include $RULE_PATH/web-frontpage_port_3001.rules include $RULE_PATH/web-iis_port_3001.rules include $RULE_PATH/web-misc_port_3001.rules include $RULE_PATH/web-php_port_3001.rules include $RULE_PATH/bleeding-web_port_3001.rules var HTTP_PORTS 80 include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/bleeding-web.rules You have to change the SIDs in each of the "port_8082" and "port_3001" files to something unique. Another problem would be keeping the rules for the other port files up to date. A quick search through the ChangeLog of 2.7.0 RC2 didn't turn up anything to indicate that HTTP_PORTS was fixed to accept multiple ports. The sample snort.conf file still includes, "We will adding support for a real list of ports in the future." The only mention of HTTP_PORTS in the source code is a define statement in sf_snort_plugin_api.h. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- multiple port variable fun ryan (Jul 02)
- Message not available
- Re: multiple port variable fun Ryan Hudson (Jul 03)
- Re: multiple port variable fun Jeffrey Denton (Jul 04)
- Re: multiple port variable fun Frank Knobbe (Jul 24)
- Re: multiple port variable fun Justin Heath (Jul 25)
- Re: multiple port variable fun Ryan Hudson (Jul 03)
- Message not available