[Snort-users] shellcode error

Erek Adams erek at ...577...
Thu May 30 21:03:03 EDT 2002


On Thu, 30 May 2002, Hugo Ferr wrote:

> I would like to have some understanding regarding the following:
> 1. Why should I define ports for shellcode rules?

Think in terms of maintence and coding.  If you can parse a variable, and you
have it in 500 places, you change one place and all 500 change.  If you need
to change one rule, it's "easier" to work with the exceptions than with the
"rule".  The old 'hit the larger target' idea...

> 2. What is the exact syntax? (var $SHELLCODE_PORTS)

[root at ...3819...]/local/build/snort#grep SHELLCODE snort.conf
# Ports you want to look for SHELLCODE on.  (By default, not port 80)
var SHELLCODE_PORTS !80

> P.S> I 'm big fan snort of snort, but I really feel like documentaion should
> be improved. (Or is it a topic for mail list dedicated for rants :-) ?)

As for improvements, we're all ears.  I'd suggest another thread on this and
have you explain what you mean a bit more.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list