[Snort-devel] Portvar details question.

Steven Sturges ssturges at ...402...
Mon Sep 8 08:51:34 EDT 2008


That depends on the size of the range.  Overlapping ranges
(and individual ports) are condensed into a single group to
consume less memory for the pattern matcher.

Typically, a large range in the 1st example would get
put in the ANY group like it was before.

A small list in the 2nd example would be its own group.
If there are other rules that overlap with some common
ports, they'll get condensed into a single group.

snort user wrote:
> Greetings.
> 
> I have a question on portvar feature of snort 2.8 --
> 
> Consider the following rule -
> 
> var HTTP_PORTS 8000:9000
> alert tcp any any -> any $HTTP_PORTS ( msg:"Example"; content:"GET";
> content:"whatIamLookingFor"; sid:1000000;)
> 
> Before portvar, this rule would be placed in the generic group since
> the source port was ANY and the dest ports was a range.
> 
> With portvar, is that still the case?
> 
> What if the ports was declared as [80,3128,8080]? Is it placed in the
> generic group?
> 
> 
> Thanks for the reply. I will be looking at the code, but would
> appreciate your reply.
> 
> Thanks
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list