mkettler at ...4108...
Wed Apr 21 13:30:03 EDT 2004
At 03:29 PM 4/21/2004, Chuck Holley wrote:
>I have a lot of web sites, on which I use many ports. I am a little
>confused on how to variable these in the conf.
>What does that mean. Am I suuposed to write a custom rule? Do I have to
>name the variable for another port something other than HTTP_PORTS? In
>the conf they have HTTP_PORTS for 8080 and 80.
You don't need to write a custom rule. However, you do need to repeatedly
include the same rulefiles over and over again, once for each port.
For example if I wanted web-attacks.rules to be used for ports 80, 8080 and
88, I'd do this:
var HTTP_PORTS 80
var HTTP_PORTS 8080
var HTTP_PORTS 88
The reason for the duplication is based in the fundamental structure of
snort rules. At present a singe rule cannot be written that accepts an
arbitrary list of ports. You can do a port, a range of ports (ie: 20:80) or
a negation of either, but no discontinuous lists are possible (ie:
80,88,8080 is not a valid port specification).
More information about the Snort-users