[Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?
wiskbroom at ...125...
Thu May 9 06:19:01 EDT 2002
OK, here is what I have done so far. Thanks again to all
of you for your help and/or comments.
1. I've added a new variable named HTTP_SERVERS_PORT
to all of my snort.conf files, I have 8 on one box.
2. I've changed every instance of 80, when it referred
to this port number, in *all* of my rules files to
3. Some of my snort.conf files have var HTTP_SERVERS_PORT set
to 8180, others have this set to 80 since we also have
"normal" servers running at some locations.
4. Does anyone else besides me think that this should be a
permanent change to the rules and snort.config files?
Defaulting to port 80 of course.
My questions to my setup,
a. How do I declare NO HTTP_SERVERS at all? In other words,
I want to know whenever someone tries to make an attempt
to port 80 or even SMTP/SQL, since I do not have these
services running at that particuliar level and I want to
know of attempts to use them?
b. How do I add services, I have about 100 of these, which are
permitted, for example OK from aaa.bbb.ccc.ddd/32 port 12345
to $HOME_NET or ONE particuliar IP? Basically, I want to
convert my cisco routers acl to match my snort rulesets.
c. Am I ruining anything by having my ports changed to port
8180? By the way, 8180 is my proxy server, perhaps just add
this variable instead?
Thank you all,
>From: Erek Adams <erek at ...577...>
>Subject: Re: [Snort-users] Proper Method and/or Place to Declare
>Date: Wed, 8 May 2002 14:06:09 -0700 (PDT)
>On Wed, 8 May 2002, Vadim Pushkin wrote:
> > I am using port 8180 versus port 80. I would prefer not messing around
> > all of the rules files. I've noticed that the rules files themselves
> > port 80, but my servers are listening on port 8180. Is there a way to
> > this in the snort.conf file? I've tried setting:
> > preprocessor http_decode: 8180 -unicode -cginull
> > but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>And you will continue to. :)
>The http_decode preprocessor has _nothing_ to do with the rules. It
>deals with 'normalizing' the URLs before snort runs them thru the rulesets.
>You'll need to manually (or via a script) change port 80 in each of the
>*.rules to port 8180.
Send and receive Hotmail on your mobile device: http://mobile.msn.com
More information about the Snort-users