[Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?

Matt Kettler mkettler at ...4108...
Wed May 8 14:44:03 EDT 2002

Sorry, you're gonna have to edit the rules to do what you want.

The rules probably should use some kind of var HTTP_PORT so this can easily 
be changed in snort.conf, but that might lead to people thinking they can 
use a comma delimited list of ports like you can for IP addresses.

http_decode is a preprocessor that "normalizes" the data so that certain 
tactics for avoiding detection are rendered useless. As best I understand, 
http_decode basically deals with the "alternate" ways of encoding a byte 
allowed in http (ie: %32 instead of 2) and converts them to common ascii 
prior to passing them along to the rules.

At 08:07 PM 5/8/2002 +0000, Vadim Pushkin wrote:
>I am using port 8180 versus port 80. I would prefer not messing around 
>with all of the rules files. I've noticed that the rules files themselves 
>specify port 80, but my servers are listening on port 8180. Is there a way 
>to change this in the snort.conf file? I've tried setting:
>preprocessor http_decode: 8180 -unicode -cginull
>but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>Thank you
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list