[Snort-sigs] FW: [Snort-users] proper usage of $SHELLCODE_PORTS ?

larosa, vjay larosa_vjay at ...375...
Tue Apr 30 20:02:02 EDT 2002


I think this will help you out. There was a discussion in the list a few
days ago on a 
similar topic.

vjl

-----Original Message-----
From: larosa, vjay 
Sent: Monday, April 22, 2002 11:13 AM
To: 'Martin Roesch'; 'Jon Hart'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] proper usage of $SHELLCODE_PORTS ?


O.Kay

So after reading throguh the link that Marty sent out, I guess these are the
options for the $SHELLCODE var,

1) A sequential range of ports, 
	1:1024 
	( 1 through 1024 )

2) A greater then or equal to option, 
	5000: 
	( 5000 or anything greater than 5000 )

3) A less than or equal to option, 
	:5000 
	( 5000 or anything less than 5000 )

4) Or you can apply the ! to negate any of the options stated above.
	!1:1024 
	( Not 1 through 1024 )


Thanks for the help Marty!

vjl
	


-----Original Message-----
From: Martin Roesch [mailto:roesch at ...435...]
Sent: Monday, April 22, 2002 10:01 AM
To: larosa, vjay; 'Jon Hart'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] proper usage of $SHELLCODE_PORTS ?


We don¹t support port sets at this time, only ranges and negation.  Check
out the writing Snort rules document:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.4

Port sets will be included in 2.0.

     -Marty


On 4/21/02 9:58 PM, "larosa, vjay" <larosa_vjay at ...375...> wrote:

> Correct me if I am wrong but I think this would be the syntax,
> 
> var SHELLCODE_PORTS ![80,9100,119]
> 
> Can anybody provide confirmation?
> 
> vjl
> 
> -----Original Message-----
> From: Jon Hart [mailto:jhart at ...289...]
> Sent: Sunday, April 21, 2002 5:40 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] proper usage of $SHELLCODE_PORTS ?
> 
> 
> Good afternoon,
> 
> After upgrading to 1.8.6 a few weeks ago, I've really come to love the
> SHELLCODE_PORTS variable that was tossed into the ruleset.
> 
> Since the default of "!80" still leaves a ton of false positives for me
> (yay NFS!), I've tried to axe out some troublesome ports by using the
> following directive:
> 
> var SHELLCODE_PORTS !80 and !515 and !9100 and !119
> 
> Whether or not that declaration is correct for $SHELLCODE_PORTS is not
> clean to me, but snort seems to parse it just fine.  Unfortunately, I just
> noticed a bunch of x86 NOOPS get detected on port 119, so I'm starting to
> think that my declaration is incorrect.
> 
> I've seen examples where people look for potential shellcode on specific
> ports, but I want to listen everywhere and ignore the heavy talkers.
> 
> I've tried setting SHELLCODE_PORTS like I do some of the the other
> variables I've got, but that doesn't seem to work. i.e., the following
host
> declaration works:
> 
> var HOME_NET [a.b.c.0/24,a.b.d.0/24,a.b.e.0/24]
> var NOT_HOME_NET !HOME_NET
> 
> ...but I couldn't get something similar to work with ports.  All I could
> find in the man page / users-guide were port ranges -- 1024:2049, 1024:,
> :1024 etc.
> 
> Any suggestions as to how I can get this to work?  Example configs would
be
> great...
> 
> thanks in advance,
> 
> -jon
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-sigs mailing list