[Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?
mkettler at ...4108...
Wed May 8 14:44:03 EDT 2002
Sorry, you're gonna have to edit the rules to do what you want.
The rules probably should use some kind of var HTTP_PORT so this can easily
be changed in snort.conf, but that might lead to people thinking they can
use a comma delimited list of ports like you can for IP addresses.
http_decode is a preprocessor that "normalizes" the data so that certain
tactics for avoiding detection are rendered useless. As best I understand,
http_decode basically deals with the "alternate" ways of encoding a byte
allowed in http (ie: %32 instead of 2) and converts them to common ascii
prior to passing them along to the rules.
At 08:07 PM 5/8/2002 +0000, Vadim Pushkin wrote:
>I am using port 8180 versus port 80. I would prefer not messing around
>with all of the rules files. I've noticed that the rules files themselves
>specify port 80, but my servers are listening on port 8180. Is there a way
>to change this in the snort.conf file? I've tried setting:
>preprocessor http_decode: 8180 -unicode -cginull
>but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users