[Snort-users] Stoopid port syntax question

Erek Adams erek at ...577...
Wed Jun 26 11:31:02 EDT 2002


On Wed, 26 Jun 2002, Kristopher Czachor wrote:

> I looked at Marty's bible, even read the FAQ. I understand that, in rule
> creation, I can set up a range of ports using the : operator, but how do
> I set up one rule to look for a hand full of widely scattered ports,
> like 21,23,80,443, etc.

Right now, the X:Y is the only way to range ports.

[...snip...]

> Is something like that possible? I tried this and snort squeals. IMHO,
> it'd seem like this would help if I have a hand full of web servers all
> running on different ports.

Yes, it is possible...  It's a kludge, but it can work.  Since the newer rules
use $HTTP_PORTS variable, you simply reset it and re-run the rules for the
other ports.

It's ugly, but it can and does work...

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list