[Snort-sigs] HTTP_PORTS Question

Brian bmc at ...95...
Wed Jul 14 07:16:55 EDT 2004


On Wed, Jul 14, 2004 at 07:53:25AM -0500, Matthew Jonkman wrote:
> If I understand you here, you're saying the order of arguments in the 
> snort.conf makes a difference? The variable would be read and the web 
> rules included, then the variable changed and the web rules read again?

Yep.

> I thought the rules optimizer code in snort would exclude duplicate 
> sid's? I take it not.

Nope.  This cheezeball mechanism of port lists will wreck havoc with
things like thresholding & suppression, which are gen/sid based... 

But, for the most part, it is a workable solution.

-b




More information about the Snort-sigs mailing list