[Snort-users] var HTTP_PORTS and new rules

Erik Nyman m9520 at ...10442...
Tue Nov 18 06:13:10 EST 2003


I have installed snort on RH 9 and it's up and running just fine.

I have two basic questions.

1. I got a lot of FP on 8080, and I can't figure it out how to fix it.
We have internal webservers that run on port 80, and mainly all other
traffic goes through a proxy on port 8080. You can't set [80,8080]
like you do for networks, just a range like 80:8080.

2. How often should I download new rules? Because I edit in the rules
to get rid of a lot of FP, but maybe there is a better way to do that.
Is there a possibillity to have the exclusions in a separate file?


Erik Nyman
eny at ...10442...

More information about the Snort-users mailing list