Snort mailing list archives
Port problems in a rule
From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Fri, 17 Oct 2014 14:58:11 -0400
The port variable doesn't seem to like me. I recently started playing with rules and found an unexpected problem. Wondering what I'm doing wrong. # works alert tcp any any -> any any (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:1;) # doesn't work #alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:2;) # doesn't work #alert tcp any any -> any $HTTP_PORTS (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:3;) Everything is the same with these rules except the destination port variable. My conf file lists HTTP_PORTS as follows: portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Port problems in a rule Kurzawa, Kevin (Oct 17)
- Re: Port problems in a rule waldo kitty (Oct 17)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 20)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 17)