[Snort-devel] Portvar details question.

snort user snort.user at ...2499...
Sun Sep 7 13:06:53 EDT 2008


I have a question on portvar feature of snort 2.8 --

Consider the following rule -

var HTTP_PORTS 8000:9000
alert tcp any any -> any $HTTP_PORTS ( msg:"Example"; content:"GET";
content:"whatIamLookingFor"; sid:1000000;)

Before portvar, this rule would be placed in the generic group since
the source port was ANY and the dest ports was a range.

With portvar, is that still the case?

What if the ports was declared as [80,3128,8080]? Is it placed in the
generic group?

Thanks for the reply. I will be looking at the code, but would
appreciate your reply.


More information about the Snort-devel mailing list