[Snort-sigs] rules and protocol URL

Matt Kettler mkettler at ...189...
Mon Nov 10 07:48:04 EST 2003


At 08:52 AM 11/10/2003, Nosnos wrote:
>I want to know how to write a rule that only match traffic that correspond 
>to HTTP protocol ... ? I know that often rules try to match the port 80, 
>but I want a rules that detect http protocol and are not based on port 
>number ....
>
>(I want the same things for pop or stmp protocol) ...

Sorry, but snort's not capable of listening to every arbitrary port and 
determining what protocol is on it without being told in advance.. Offhand, 
I don't know of any products that do this as an IDS system.

You can use the uricontent to only match the URI part of a HTTP stream, but 
this is dependant on the http_decode preprocessor and what ports it's 
listening.





More information about the Snort-sigs mailing list