[Snort-devel] Better Port Lists

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Tue Jul 20 06:53:01 EDT 2004

--On 14 July 2004 21:44 +0000 "Sheppard Martin Contr AFRL/IFGB" 
<Martin.Sheppard at ...2281...> wrote:

> I have been waiting for this for a few years also.  sigh..  Haven't had
> the time to do it myself.  Haven't seen any mention of a timeframe for
> implementation, but this feature request does show up on the list every so
> often.  someday:)
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Lionel CONS


> There is one feature that we really miss in Snort which is the ability
> to declare arbitrary port lists/sets like 80,8000-8099,9000 (using the
> Nmap syntax).

My guess is that this hasn't been done because it would either require 
comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP and 
TCP) for every packet analysed, or the analysis engine would have to use a 
linked list to represent arbitrary ranges (i.e. start port, end port, "next 
port range" pointer).

I suspect both would add significant per-packet overhead to the analysis.

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-devel mailing list