[Snort-sigs] HTTP_PORTS Question

Matthew Jonkman matt at ...2436...
Tue Jul 13 21:33:02 EDT 2004


Have a situation where we have a lot of proxied web users, and a lot of 
non-proxied users. My dilemma is where to set the HTTP_PORTS variable. 
Traffic on both 80 and 8080 will be passing the same sensors, can't 
separate it feasibly. So I only get http coverage on one or the other 
currently since we can't do 2 ports in a rule.

I've had a few thoughts, I'm interested in hearing anyone else's 
experience here.

1. A second instance of snort on the same sensing interface with a 
tcpdump parameter to show it only 8080 traffic, and a whole new config 
for 8080. Would probably be best, but I'd prefer not to have another 
config to manage there. This is a good level of traffic interface, might 
start dropping packets??

2. Use 80:8080 for the HTTP_PORTS range. Probably a good deal higher 
load, and some extra false positives. Sloppy solution.

Any other ideas?

Matt








More information about the Snort-sigs mailing list