gamancio at ...2951... - Bayesian Filter detected spam - RE: [Snort-users] RE: [Snort-sigs] ports

Esler, Joel - Contractor joel.esler at ...783...
Thu Jan 6 09:37:32 EST 2005


Alrighty, break it up..  ;)

I was incorrect, you're right.  According to the "TODO" included with
2.3.0RC2, port ranges are being worked on, so hopefully that will be
fixed soon.

Joel

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Joe
Patterson
Sent: Wednesday, January 05, 2005 1:52 PM
To: Jason
Cc: snort-sigs at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] RE: [Snort-sigs] ports


> -----Original Message-----
> From: Jason [mailto:security at ...704...]
[...]

> Joe Patterson wrote:
> > right, but that's not what you had.  It makes a world of
> difference if you
> > write it as an equivalent to:
>
> [...]
>
> - I had nothing.

Sorry, I mis-attributed the original response, which wasn't yours.  Mea
culpa.  Should have read "that's not what he had".

> - "um, false..." is not value.

And if that had been the total content of my reply, then it would have
been pointless to send.  But there *was* some more content, specifically
the
*reason* why the proposed solution wouldn't work as advertised.

> - If you knew the proper answer why didn't you provide it in your 
> first reply?

The completely proper answer is that, AFAIK, if you want to do the same
content etc. checks on two or more non-contiguous ports, you cannot do
it with one rule, it must be done with multiple rules.  There are
several ways to cause snort to see multiple rules.  The most basic
method is to simply write multiple rules.  A slightly more elegant, but
still kludgy, method is described in the FAQ (4.27).  I didn't realize
that Joel was attempting to explain what the FAQ said until you pointed
out what he may have meant.  It then became clear that there was a more
proper answer.  And I'm not even sure that it really is a proper answer.
The original poster didn't specify whether he has a single rule that he
wants to apply a port list to, or a whole bunch of them.  If it's a
single rule, then, IMHO, it's better to have multiple instances of the
rule, one for each port.  If it's a whole bunch of rules, then it makes
more sense to me to use the method from the FAQ, put them all in one
rule file, and have multiple includes with variable re-definitions
between them.  Functionally, it's the same either way, it's just a
matter of rule file maintainability and cleanliness.

> - Thx for playing.

always a pleasure.

-Joe



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE
limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and
FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-sigs mailing list