[Snort-users] multiple HTTP_PORTS
dev_zer0 at ...125...
Thu Jun 20 11:23:02 EDT 2002
I'm using Snort 1.8.6 with the newest signatures.
I noticed that in a recent signature release, the $HTTP_PORTS variable was
added in all the web-* signatures, and my environment has HTTP servers on
ports 80, 8080, 1080, 81, and 8081 (changing that is NOT an option). It
seems that I cannot provide a list of ports (e.g. [80,81,88,8080,8081]) and
a range for 80:8081 draws WAY too many false positives (IMAP, high ports,
etc). What would be the best thing to do in this situation? Create
Multiple copies of all the web-* rulefiles and edit each one and have to
maintain changes across versions? Or is there some mechanism that provides
for a list of ports a signature will look on?
Help would be very much appreciated.
Join the world�s largest e-mail service with MSN Hotmail.
More information about the Snort-users