[Snort-users] multiple HTTP_PORTS

Erek Adams erek at ...577...
Thu Jun 20 11:41:02 EDT 2002


On Thu, 20 Jun 2002, Chris Connelly wrote:

> I'm using Snort 1.8.6 with the newest signatures.
>
> I noticed that in a recent signature release, the $HTTP_PORTS variable was
> added in all the web-* signatures, and my environment has HTTP servers on
> ports 80, 8080, 1080, 81, and 8081 (changing that is NOT an option).  It
> seems that I cannot provide a list of ports (e.g. [80,81,88,8080,8081]) and
> a range for 80:8081 draws WAY too many false positives (IMAP, high ports,
> etc).  What would be the best thing to do in this situation?  Create
> Multiple copies of all the web-* rulefiles and edit each one and have to
> maintain changes across versions?  Or is there some mechanism that provides
> for a list of ports a signature will look on?

Naaaa....  Make your life way simpler:

var HTTP_PORTS 80
include web-<bleh>.rules
var HTTP_PORTS 8080
include web-<bleh>.rules
.
.
.


Just redefine HTTP_PORTS with one port for each of the 5 ports you want to use
for now.

Port lists are in the works...  :)  Until then, this ugly hack will have to
work.  :-/

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list