[Snort-sigs] HTTP_PORTS Question

Matthew Jonkman matt at ...2436...
Wed Jul 14 06:47:45 EDT 2004


That seems to be working well, with one caveat.

Any rules with a threshold in the duplicated sets will kill snort. ie:

FATAL ERROR: Rule-Threshold-Parse: could not create a threshold object 
-- only one per sid, sid = 2000328

So any rulesets you duplicate cannot have a threshold, or you need to 
make a new copy and pull the thresholds out. Pain in the butt, but it'll 
work.

THanks

Matt

sekure wrote:

> Matt,
> 
> I believe another solution is to first define var HTTP_PORTS 80 and
> load all of your http rules, then redefine var HTTP_PORTS 8080 and
> reload the same rules.  Essentially saying:
> 
> var HTTP_PORTS 80
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-apache.rules
> etc....
> var HTTP_PORTS 8080
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-apache.rules
> etc....
> 
> i am not sure if this is more or less system load than defining
> HTTP_PORTS 80:8080.  It would be great to get someone knowledgable to
> comment.
> 
> 





More information about the Snort-sigs mailing list