[Snort-sigs] HTTP_PORTS Question

Matthew Jonkman matt at ...2436...
Wed Jul 14 06:18:33 EDT 2004


Thanks for the reply. I'd be interested to know if anyone has experience 
with the load that might cause.

Going to try it anyway. :)

Thanks

Matt

sekure wrote:

> Matt,
> 
> I believe another solution is to first define var HTTP_PORTS 80 and
> load all of your http rules, then redefine var HTTP_PORTS 8080 and
> reload the same rules.  Essentially saying:
> 
> var HTTP_PORTS 80
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-apache.rules
> etc....
> var HTTP_PORTS 8080
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-apache.rules
> etc....
> 
> i am not sure if this is more or less system load than defining
> HTTP_PORTS 80:8080.  It would be great to get someone knowledgable to
> comment.
> 
> 
> On Tue, 13 Jul 2004 23:32:00 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> 
>>Have a situation where we have a lot of proxied web users, and a lot of
>>non-proxied users. My dilemma is where to set the HTTP_PORTS variable.
>>Traffic on both 80 and 8080 will be passing the same sensors, can't
>>separate it feasibly. So I only get http coverage on one or the other
>>currently since we can't do 2 ports in a rule.
>>
>>I've had a few thoughts, I'm interested in hearing anyone else's
>>experience here.
>>
>>1. A second instance of snort on the same sensing interface with a
>>tcpdump parameter to show it only 8080 traffic, and a whole new config
>>for 8080. Would probably be best, but I'd prefer not to have another
>>config to manage there. This is a good level of traffic interface, might
>>start dropping packets??
>>
>>2. Use 80:8080 for the HTTP_PORTS range. Probably a good deal higher
>>load, and some extra false positives. Sloppy solution.
>>
>>Any other ideas?
>>
>>Matt
>>
>>-------------------------------------------------------
>>This SF.Net email sponsored by Black Hat Briefings & Training.
>>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>>digital self defense, top technical experts, no vendor pitches,
>>unmatched networking opportunities. Visit www.blackhat.com
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list