[Snort-users] shellcode error

Hugo Ferr snortgrp at ...125...
Fri May 31 07:42:11 EDT 2002


Just out of curiosity - why !80, I was getting quite a lot of false
positives for shellcode on port 80, is that the number of false positives is
the reason for !80?

----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Hugo Ferr" <snortgrp at ...125...>
Cc: "Got Snort?" <snort-users at lists.sourceforge.net>
Sent: Friday, May 31, 2002 12:02 AM
Subject: Re: [Snort-users] shellcode error


> On Thu, 30 May 2002, Hugo Ferr wrote:
>
> > I would like to have some understanding regarding the following:
> > 1. Why should I define ports for shellcode rules?
>
> Think in terms of maintence and coding.  If you can parse a variable, and
you
> have it in 500 places, you change one place and all 500 change.  If you
need
> to change one rule, it's "easier" to work with the exceptions than with
the
> "rule".  The old 'hit the larger target' idea...
>
> > 2. What is the exact syntax? (var $SHELLCODE_PORTS)
>
> [root at ...3819...]/local/build/snort#grep SHELLCODE snort.conf
> # Ports you want to look for SHELLCODE on.  (By default, not port 80)
> var SHELLCODE_PORTS !80
>
> > P.S> I 'm big fan snort of snort, but I really feel like documentaion
should
> > be improved. (Or is it a topic for mail list dedicated for rants :-) ?)
>
> As for improvements, we're all ears.  I'd suggest another thread on this
and
> have you explain what you mean a bit more.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>




More information about the Snort-users mailing list