[Snort-users] multiple HTTP_PORTS

Chris Connelly dev_zer0 at ...125...
Thu Jun 20 11:23:02 EDT 2002

I'm using Snort 1.8.6 with the newest signatures.

I noticed that in a recent signature release, the $HTTP_PORTS variable was 
added in all the web-* signatures, and my environment has HTTP servers on 
ports 80, 8080, 1080, 81, and 8081 (changing that is NOT an option).  It 
seems that I cannot provide a list of ports (e.g. [80,81,88,8080,8081]) and 
a range for 80:8081 draws WAY too many false positives (IMAP, high ports, 
etc).  What would be the best thing to do in this situation?  Create 
Multiple copies of all the web-* rulefiles and edit each one and have to 
maintain changes across versions?  Or is there some mechanism that provides 
for a list of ports a signature will look on?

Help would be very much appreciated.


Join the world�s largest e-mail service with MSN Hotmail. 

More information about the Snort-users mailing list