[Snort-users] multiple HTTP_PORTS
erek at ...577...
Thu Jun 20 11:41:02 EDT 2002
On Thu, 20 Jun 2002, Chris Connelly wrote:
> I'm using Snort 1.8.6 with the newest signatures.
> I noticed that in a recent signature release, the $HTTP_PORTS variable was
> added in all the web-* signatures, and my environment has HTTP servers on
> ports 80, 8080, 1080, 81, and 8081 (changing that is NOT an option). It
> seems that I cannot provide a list of ports (e.g. [80,81,88,8080,8081]) and
> a range for 80:8081 draws WAY too many false positives (IMAP, high ports,
> etc). What would be the best thing to do in this situation? Create
> Multiple copies of all the web-* rulefiles and edit each one and have to
> maintain changes across versions? Or is there some mechanism that provides
> for a list of ports a signature will look on?
Naaaa.... Make your life way simpler:
var HTTP_PORTS 80
var HTTP_PORTS 8080
Just redefine HTTP_PORTS with one port for each of the 5 ports you want to use
Port lists are in the works... :) Until then, this ugly hack will have to
More information about the Snort-users