[Snort-users] Newbie question on gnutella rule
michael.boman at ...4162...
Sat Dec 13 20:44:00 EST 2003
On Sat, 2003-12-13 at 23:47, Josh Berry wrote:
> Since you are using a proxy, all of you web clients are sending GET
> requests for web pages to the proxy server on port 8080. This rule will
> alrm if it seems any GET request going to any port except 80.
> Maybe you could create a port list of ports that you expect to see GET
> requests on, just add !8080 to what is already there (!80). I believe
> that you have to do this like:
That won't work. Snort doesn't support port lists yet (dunno when we
will have it either.. Last time I heard anything about it they (as in
snort coders) was looking for a good algorithm IIRC).
What you could do is to create a pass rule for it instead. Make sure you
don't make your pass rule too generic, in which case you will miss valid
alerts. What I usually do is that I duplicate the rule, change "alert"
to "pass" and make sure that "-o" option for snort is there. Also assign
it a new sid (reserved local rules have sid 1000000+, ie one million and
above [IIRC - check the documentation]).
Security Architect, SecureCiRT Pte Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-users