[Snort-devel] Port Matching Logic

John Pritchard john.r.pritchard at ...2499...
Mon Nov 3 16:26:28 EST 2008


I would argue that the correct behavior would be for snort to flag
such misconfiguration issues or logic errors on start-up and fail to
launch.

In this case though, I'd say it is less about the "rule writer"
(although I could see a hand-crafted rule with such a logic problem)
and more about as a snort configuration with a logic error (as you
pointed out).

For your example, the logic error could be avoided with the following:
portvar HTTP_PORTS [80,1025:]

However, I wouldn't recommend such a configuration unless you're
hoping to seriously bog down your ability to inspect traffic..... (Try
playing with incrementally adding more and more ports to this variable
and you'll see what I mean).

>From a rule writing perspective, logic problems are always a risk. I
see great value in having automated "logic checks" report when/if I've
done something unintended.

Cheers, John

On Mon, Nov 3, 2008 at 11:22 AM, snort user <snort.user at ...2499...> wrote:
> Hello and greetings!
>
> If a portvar definition has conflicting meaning, for example -
>
> portvar HTTP_PORTS [80,!0:1024]
> alert tcp any any -> any $HTTP_PORTS (............);
>
> If a TCP packet has destination port 80, then should it match or not ?
>
> 80 says the packet should match
> !0:1024 says it should not match
>
> In snort 2.8 this results in a mismatch.
>
> Should such inconsistencies be caught during rule parsing?
> or be left to the rule writer to avoid?
>
> The thing is sometimes it maybe confusing and so hard to avoid.
>
>
> Thoughts?
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list