[Snort-sigs] Port agnostic application layer protocol identification and parsing

Miso Patel miso.patel at ...2420...
Fri Nov 18 11:42:18 EST 2011


I know Snort can do application layer parsing of certain protocols
like HTTP, FTP, SMTP, etc. but can Snort identify these across all
ports or do you have to specify specific ports?  I saw in snortconf
that you specify ports for server in http_inspect. I suppose one could
specify all 65,536 ports to look on but does that impact performance?
Has anyone tried this?

Sometimes I worry people will set up a FTP server or HTTP proxy at
home on an ephemeral port like 65535 and we won't see it and they can
bypass web filters and firewalls.

Thank you.

Miso, CISO




More information about the Snort-sigs mailing list