[Snort-sigs] HTTP_PORTS Question
sekure at ...2420...
Wed Jul 14 06:09:24 EDT 2004
I believe another solution is to first define var HTTP_PORTS 80 and
load all of your http rules, then redefine var HTTP_PORTS 8080 and
reload the same rules. Essentially saying:
var HTTP_PORTS 80
var HTTP_PORTS 8080
i am not sure if this is more or less system load than defining
HTTP_PORTS 80:8080. It would be great to get someone knowledgable to
On Tue, 13 Jul 2004 23:32:00 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> Have a situation where we have a lot of proxied web users, and a lot of
> non-proxied users. My dilemma is where to set the HTTP_PORTS variable.
> Traffic on both 80 and 8080 will be passing the same sensors, can't
> separate it feasibly. So I only get http coverage on one or the other
> currently since we can't do 2 ports in a rule.
> I've had a few thoughts, I'm interested in hearing anyone else's
> experience here.
> 1. A second instance of snort on the same sensing interface with a
> tcpdump parameter to show it only 8080 traffic, and a whole new config
> for 8080. Would probably be best, but I'd prefer not to have another
> config to manage there. This is a good level of traffic interface, might
> start dropping packets??
> 2. Use 80:8080 for the HTTP_PORTS range. Probably a good deal higher
> load, and some extra false positives. Sloppy solution.
> Any other ideas?
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs