[Snort-users] Newbie question on gnutella rule

Michael Boman michael.boman at ...4162...
Sat Dec 13 20:44:00 EST 2003


On Sat, 2003-12-13 at 23:47, Josh Berry wrote:
> Since you are using a proxy, all of you web clients are sending GET
> requests for web pages to the proxy server on port 8080.  This rule will
> alrm if it seems any GET request going to any port except 80.
> 
> Maybe you could create a port list of ports that you expect to see GET
> requests on, just add !8080 to what is already there (!80).  I believe
> that you have to do this like:
> 
> [!80,!8080]
> 

That won't work. Snort doesn't support port lists yet (dunno when we
will have it either.. Last time I heard anything about it they (as in
snort coders) was looking for a good algorithm IIRC).

What you could do is to create a pass rule for it instead. Make sure you
don't make your pass rule too generic, in which case you will miss valid
alerts. What I usually do is that I duplicate the rule, change "alert"
to "pass" and make sure that "-o" option for snort is there. Also assign
it a new sid (reserved local rules have sid 1000000+, ie one million and
above [IIRC - check the documentation]).

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031213/1213ebb8/attachment.sig>


More information about the Snort-users mailing list