[Snort-users] RE: [Snort-sigs] ports

Jason security at ...704...
Wed Jan 5 13:16:07 EST 2005


> 
>>- If you knew the proper answer why didn't you provide it in your first
>>reply?
> 
> 
> The completely proper answer is that, AFAIK, if you want to do the same
> content etc. checks on two or more non-contiguous ports, you cannot do it
> with one rule, it must be done with multiple rules.  There are several ways
> to cause snort to see multiple rules.  The most basic method is to simply
> write multiple rules.  A slightly more elegant, but still kludgy, method is
> described in the FAQ (4.27).  I didn't realize that Joel was attempting to
> explain what the FAQ said until you pointed out what he may have meant.  It
> then became clear that there was a more proper answer.  And I'm not even
> sure that it really is a proper answer.  The original poster didn't specify
> whether he has a single rule that he wants to apply a port list to, or a
> whole bunch of them.  If it's a single rule, then, IMHO, it's better to have
> multiple instances of the rule, one for each port.  If it's a whole bunch of
> rules, then it makes more sense to me to use the method from the FAQ, put
> them all in one rule file, and have multiple includes with variable
> re-definitions between them.  Functionally, it's the same either way, it's
> just a matter of rule file maintainability and cleanliness.
> 

Now that is worth reading. More replies should go to this level of detail.

To be fair, it is not exactly clear how to do this in the FAQ [0] 
either. You have to combine question 4.26 with 4.27 to get the complete 
picture.

-- snip --
4.26 How can I specify a list of ports in a rule?

You can't yet. You can specify a range of ports between X and Y With the
notation X:Y. See the users manual^[*] for more info on port ranges.

4.27 How can I protect web servers running on ports other than 80?

It is possible... It's a kludge, but it can work. Since the newer rules 
use $HTTP_PORTS variable, you simply reset it and re-run the rules for 
the other ports.

For example:

     var HTTP_PORTS 80

     include web.rules

     var HTTP_PORTS 8080

     include web.rules


-- snip --

> 
>>- Thx for playing.
> 
> 
> always a pleasure.
> 

:-)


[0] - http://www.snort.org/docs/FAQ.txt




More information about the Snort-sigs mailing list