[Snort-sigs] HTTP_PORTS Question
matt at ...2436...
Tue Jul 13 21:33:02 EDT 2004
Have a situation where we have a lot of proxied web users, and a lot of
non-proxied users. My dilemma is where to set the HTTP_PORTS variable.
Traffic on both 80 and 8080 will be passing the same sensors, can't
separate it feasibly. So I only get http coverage on one or the other
currently since we can't do 2 ports in a rule.
I've had a few thoughts, I'm interested in hearing anyone else's
1. A second instance of snort on the same sensing interface with a
tcpdump parameter to show it only 8080 traffic, and a whole new config
for 8080. Would probably be best, but I'd prefer not to have another
config to manage there. This is a good level of traffic interface, might
start dropping packets??
2. Use 80:8080 for the HTTP_PORTS range. Probably a good deal higher
load, and some extra false positives. Sloppy solution.
Any other ideas?
More information about the Snort-sigs