[Snort-users] RE: [Snort-sigs] ports

Joe Patterson jpatterson at ...2901...
Wed Jan 5 10:53:03 EST 2005


> -----Original Message-----
> From: Jason [mailto:security at ...704...]
[...]

> Joe Patterson wrote:
> > right, but that's not what you had.  It makes a world of
> difference if you
> > write it as an equivalent to:
>
> [...]
>
> - I had nothing.

Sorry, I mis-attributed the original response, which wasn't yours.  Mea
culpa.  Should have read "that's not what he had".

> - "um, false..." is not value.

And if that had been the total content of my reply, then it would have been
pointless to send.  But there *was* some more content, specifically the
*reason* why the proposed solution wouldn't work as advertised.

> - If you knew the proper answer why didn't you provide it in your first
> reply?

The completely proper answer is that, AFAIK, if you want to do the same
content etc. checks on two or more non-contiguous ports, you cannot do it
with one rule, it must be done with multiple rules.  There are several ways
to cause snort to see multiple rules.  The most basic method is to simply
write multiple rules.  A slightly more elegant, but still kludgy, method is
described in the FAQ (4.27).  I didn't realize that Joel was attempting to
explain what the FAQ said until you pointed out what he may have meant.  It
then became clear that there was a more proper answer.  And I'm not even
sure that it really is a proper answer.  The original poster didn't specify
whether he has a single rule that he wants to apply a port list to, or a
whole bunch of them.  If it's a single rule, then, IMHO, it's better to have
multiple instances of the rule, one for each port.  If it's a whole bunch of
rules, then it makes more sense to me to use the method from the FAQ, put
them all in one rule file, and have multiple includes with variable
re-definitions between them.  Functionally, it's the same either way, it's
just a matter of rule file maintainability and cleanliness.

> - Thx for playing.

always a pleasure.

-Joe





More information about the Snort-sigs mailing list