[Snort-devel] Regarding PORTLISTS and TARGET_BASED features
twease at ...402...
Thu Oct 16 15:13:14 EDT 2008
Hello snort user,
No, there is no dependency between portlists and target based. The
portlist code is compiled in unconditionally now and can probably be
hardened. The code within the conditional macro mentioned is target
based specific - not sure why PORTLISTS is included in it. Essentially
it does a check to see if there is service information associated with
the packet and if so attempts to use that to find a suitable "port
group" (or service group - there is metadata that can be defined in a
rule to indicate a service, such as http, smtp or whatever). If there
is no service information associated with the packet or no service
groups for that service, snort will fall back to using ports.
prmFindRuleGroupTcp() gets called in the case where snort was not
compiled with target based support or the target based checks above fail.
I believe portlists has been in the code base for over a year now.
snort user wrote:
> Hello and Greetings. Hope this email finds you well.
> I have a question(s) regarding the new PORTLISTS feature.
> In fpdetect.c (snort release 2.8.*) we have --
> static INLINE int fpEvalHeaderTcp(Packet *p)
> PORT_GROUP *src, *dst, *gen;
> int retval=0;
> #if defined(TARGET_BASED) && defined(PORTLISTS)
> //old way
> retval = prmFindRuleGroupTcp(p->dp, p->sp, &src, &dst, &gen);
> Does the PORTLIST based packet evaluation work only with TARGET_BASED setting?
> What is the behavior if PORTLISTS is defined and TARGET_BASED is not?
> Is there a dependency for PORTLISTS feature on TARGET_BASED feature?
> Any clarification on this is much appreciated.
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel