Snort mailing list archives

Re: Enabling all ports on 'http_inspect_server'

From: Junaid Bohio via Snort-users <snort-users () lists snort org>
Date: Thu, 25 Oct 2018 10:58:45 -0400

Thank you for the prompt reply, Carter.

Regards,

On Thu, Oct 25, 2018 at 10:46 AM Carter Waxman (cwaxman) <cwaxman () cisco com>
wrote:

One of the many improvements of Snort 3:



-- in your lua config

http_inspect =

{

                -- your settings

}



binder =

{

                -- put your explicit port / address -> inspector bindings
here

                -- { when = { criteria }, use = { name or type =
‘name_of_inspector’ } },

                { use = { name = ‘wizard’ } } -- if nothing explicit
matches, use automatic service detection

}



wizard = default_wizard -- define automatic service detection




*From: *Snort-users <snort-users-bounces () lists snort org> on behalf of
Junaid Bohio via Snort-users <snort-users () lists snort org>
*Reply-To: *Junaid Bohio <mjbohio () gmail com>
*Date: *Thursday, October 25, 2018 at 10:32 AM
*To: *"snort-users () lists snort org" <snort-users () lists snort org>
*Subject: *[Snort-users] Enabling all ports on 'http_inspect_server'



Hi,



I am wondering if Snort allows to enable all ports
under 'http_inspect_server' server? In case of normal HTTP traffic, listing
few standard ports is sufficient, but in case of malware traffic the remote
control server can be listening on any port. If a non-standard port is not
listed under that config then HTTP modifiers like 'http_uri',
'http_header', etc. don't work. I have done various tests and it doesn't
seem to be accepting port range or all ports (most likely for performance
reasons) but i just want to verify it here.



Thank you!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Enabling all ports on 'http_inspect_server' Junaid Bohio via Snort-users (Oct 25)
- Re: Enabling all ports on 'http_inspect_server' Carter Waxman (cwaxman) via Snort-users (Oct 25)
  - Re: Enabling all ports on 'http_inspect_server' Junaid Bohio via Snort-users (Oct 25)