[Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?

Matt Kettler mkettler at ...4108...
Wed May 8 14:44:03 EDT 2002


Sorry, you're gonna have to edit the rules to do what you want.

The rules probably should use some kind of var HTTP_PORT so this can easily 
be changed in snort.conf, but that might lead to people thinking they can 
use a comma delimited list of ports like you can for IP addresses.

http_decode is a preprocessor that "normalizes" the data so that certain 
tactics for avoiding detection are rendered useless. As best I understand, 
http_decode basically deals with the "alternate" ways of encoding a byte 
allowed in http (ie: %32 instead of 2) and converts them to common ascii 
prior to passing them along to the rules.


At 08:07 PM 5/8/2002 +0000, Vadim Pushkin wrote:
>I am using port 8180 versus port 80. I would prefer not messing around 
>with all of the rules files. I've noticed that the rules files themselves 
>specify port 80, but my servers are listening on port 8180. Is there a way 
>to change this in the snort.conf file? I've tried setting:
>
>preprocessor http_decode: 8180 -unicode -cginull
>
>but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>
>Thank you
>
>Vadim
>
>_________________________________________________________________
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>
>_______________________________________________________________
>
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list