[Snort-users] RE: [Snort-sigs] ports

Joe Patterson jpatterson at ...2901...
Wed Jan 5 08:56:02 EST 2005


right, but that's not what you had.  It makes a world of difference if you
write it as an equivalent to:

var SPECIFIC_PORT 21
alert tcp any $SPECIFIC_PORT -> any any blah blah.
var SPECIFIC_PORT 110
alert tcp any $SPECIFIC_PORT -> any any blah blah.

Because you're re-defining that variable between the invocations of the
rule.  If you've only got one rule, it's kind of pointless to do it this
way.  If you've got a bunch, it could be handy (i.e., you've got a bunch of
IIS servers listening on both port 80 and 8080, so you do:

var HTTP_PORT 80
include web-iis.rules
var HTTP_PORT 8080
include web-iis.rules
)

-Joe

> -----Original Message-----
> From: Jason [mailto:security at ...704...]
> Sent: Wednesday, January 05, 2005 11:39 AM
> To: Joe Patterson
> Cc: snort-sigs at lists.sourceforge.net; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] RE: [Snort-sigs] ports
>
>
> IIRC this is the the FAQ or the manual
>
> var SPECIFIC_PORT 21
> include port_list.rules
>
> var SPECIFIC_PORT 110
> include port_list.rules
>
> Joe Patterson wrote:
> >
> > um, false.  The second variable definition would override the first,
> > which would leave you with the equivalent of:
> >
> > alert tcp any 110 -> any any blah blah
> > which is not what you want.
> >
> > -Joe
> >
> >     -----Original Message-----
> >     *From:* snort-sigs-admin at lists.sourceforge.net
> >     [mailto:snort-sigs-admin at lists.sourceforge.net]*On Behalf Of *Esler,
> >     Joel - Contractor
> >     *Sent:* Wednesday, January 05, 2005 8:01 AM
> >     *To:* snort-sigs at lists.sourceforge.net;
> >     snort-users at lists.sourceforge.net
> >     *Subject:* RE: [Snort-sigs] ports
> >
> >     you can't do a list of ports, the best you can do is something like
> >
> >     ---snort.conf----
> >     var SPECIFIC_PORT 21
> >     var SPECIFIC_PORT 110
> >
> >     then in your rule
> >
> >     alert tcp any $SPECIFIC_PORT -> any any blah blah.
> >
> >         -----Original Message-----
> >         *From:* snort-sigs-admin at lists.sourceforge.net
> >         [mailto:snort-sigs-admin at lists.sourceforge.net] *On Behalf Of
> >         *reynald
> >         *Sent:* Tuesday, January 04, 2005 10:49 PM
> >         *To:* snort-sigs at lists.sourceforge.net
> >         *Cc:* Reynald Mahinay
> >         *Subject:* [Snort-sigs] ports
> >
> >         Hello,
> >
> >         How can i define a list of ports? eg. 25,110 doesn't work... Now
> >         i know snort can do
> >         port ranging, but how about a specific list of ports only.
> >
> >         please help..thanks
> >
> >
> >         reynald
>
>





More information about the Snort-sigs mailing list