[Snort-users] Proper Method and/or Place to Declare HTTP_SERVERS port?

Vadim Pushkin wiskbroom at ...125...
Thu May 9 06:19:01 EDT 2002


OK, here is what I have done so far. Thanks again to all
of you for your help and/or comments.

1. I've added a new variable named HTTP_SERVERS_PORT
   to all of my snort.conf files, I have 8 on one box.

2. I've changed every instance of 80, when it referred
   to this port number, in *all* of my rules files to
   read $HTTP_SERVERS_PORT.

3. Some of my snort.conf files have var HTTP_SERVERS_PORT set
   to 8180, others have this set to 80 since we also have
   "normal" servers running at some locations.

4. Does anyone else besides me think that this should be a
   permanent change to the rules and snort.config files?
   Defaulting to port 80 of course.

My questions to my setup,

a. How do I declare NO HTTP_SERVERS at all? In other words,
   I want to know whenever someone tries to make an attempt
   to port 80 or even SMTP/SQL, since I do not have these
   services running at that particuliar level and I want to
   know of attempts to use them?

b. How do I add services, I have about 100 of these, which are
   permitted, for example OK from aaa.bbb.ccc.ddd/32 port 12345
   to $HOME_NET or ONE particuliar IP? Basically, I want to
   convert my cisco routers acl to match my snort rulesets.

c. Am I ruining anything by having my ports changed to port
   8180? By the way, 8180 is my proxy server, perhaps just add
   this variable instead?

Thank you all,

Vadim

>From: Erek Adams <erek at ...577...>
>Subject: Re: [Snort-users] Proper Method and/or Place to Declare 
>HTTP_SERVERS port?
>Date: Wed, 8 May 2002 14:06:09 -0700 (PDT)
>
>On Wed, 8 May 2002, Vadim Pushkin wrote:
>
> > I am using port 8180 versus port 80. I would prefer not messing around 
>with
> > all of the rules files. I've noticed that the rules files themselves 
>specify
> > port 80, but my servers are listening on port 8180. Is there a way to 
>change
> > this in the snort.conf file? I've tried setting:
> >
> > preprocessor http_decode: 8180 -unicode -cginull
> >
> > but I still get alarms for hosts possibly port scanning my HTTP_SERVERS.
>
>And you will continue to.  :)
>
>The http_decode preprocessor has _nothing_ to do with the rules.  It 
>strictly
>deals with 'normalizing' the URLs before snort runs them thru the rulesets.
>
>You'll need to manually (or via a script) change port 80 in each of the
>*.rules to port 8180.
>

>Erek Adams


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-users mailing list