[Snort-sigs] HTTP_PORTS Question

sekure sekure at ...2420...
Wed Jul 14 06:09:24 EDT 2004


Matt,

I believe another solution is to first define var HTTP_PORTS 80 and
load all of your http rules, then redefine var HTTP_PORTS 8080 and
reload the same rules.  Essentially saying:

var HTTP_PORTS 80
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-apache.rules
etc....
var HTTP_PORTS 8080
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-apache.rules
etc....

i am not sure if this is more or less system load than defining
HTTP_PORTS 80:8080.  It would be great to get someone knowledgable to
comment.


On Tue, 13 Jul 2004 23:32:00 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> Have a situation where we have a lot of proxied web users, and a lot of
> non-proxied users. My dilemma is where to set the HTTP_PORTS variable.
> Traffic on both 80 and 8080 will be passing the same sensors, can't
> separate it feasibly. So I only get http coverage on one or the other
> currently since we can't do 2 ports in a rule.
> 
> I've had a few thoughts, I'm interested in hearing anyone else's
> experience here.
> 
> 1. A second instance of snort on the same sensing interface with a
> tcpdump parameter to show it only 8080 traffic, and a whole new config
> for 8080. Would probably be best, but I'd prefer not to have another
> config to manage there. This is a good level of traffic interface, might
> start dropping packets??
> 
> 2. Use 80:8080 for the HTTP_PORTS range. Probably a good deal higher
> load, and some extra false positives. Sloppy solution.
> 
> Any other ideas?
> 
> Matt
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list