[Snort-users] HTTP_PORTS

Matt Kettler mkettler at ...4108...
Wed Apr 21 13:30:03 EDT 2004


At 03:29 PM 4/21/2004, Chuck Holley wrote:
>I have a lot of web sites, on which I use many ports.  I am a little 
>confused on how to variable these in the conf.
>
>Var HTTP_PORTS
>Include somefile.rules
>
>What does that mean.  Am I suuposed to write a custom rule?  Do I have to 
>name the variable for another port something other than HTTP_PORTS?  In 
>the conf they have HTTP_PORTS for 8080 and 80.

You don't need to write a custom rule. However, you do need to repeatedly 
include the same rulefiles over and over again, once for each port.

For example if I wanted web-attacks.rules to be used for ports 80, 8080 and 
88, I'd do this:

var HTTP_PORTS 80
include web-attacks.rules

var HTTP_PORTS 8080
include web-attacks.rules

var HTTP_PORTS 88
include web-attacks.rules


The reason for the duplication is based in the fundamental structure of 
snort rules.  At present a singe rule cannot be written that accepts an 
arbitrary list of ports. You can do a port, a range of ports (ie: 20:80) or 
a negation of either, but no discontinuous lists are possible (ie: 
80,88,8080 is not a valid port specification).






More information about the Snort-users mailing list