[Snort-sigs] HTTP_PORTS Question
bmc at ...95...
Wed Jul 14 07:16:55 EDT 2004
On Wed, Jul 14, 2004 at 07:53:25AM -0500, Matthew Jonkman wrote:
> If I understand you here, you're saying the order of arguments in the
> snort.conf makes a difference? The variable would be read and the web
> rules included, then the variable changed and the web rules read again?
> I thought the rules optimizer code in snort would exclude duplicate
> sid's? I take it not.
Nope. This cheezeball mechanism of port lists will wreck havoc with
things like thresholding & suppression, which are gen/sid based...
But, for the most part, it is a workable solution.
More information about the Snort-sigs