cholley at ...11679...
Wed Apr 21 14:04:05 EDT 2004
I put in the HTTP_PORTS variables for the different ports. Now snort wont
start. Its trying to find the rules under "/etc/snort" and of course their
not there. What's up? Do I need to put the RULE_PATH variable in?
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Wednesday, April 21, 2004 4:29 PM
To: Chuck Holley; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] HTTP_PORTS
At 03:29 PM 4/21/2004, Chuck Holley wrote:
>I have a lot of web sites, on which I use many ports. I am a little
>confused on how to variable these in the conf.
>What does that mean. Am I suuposed to write a custom rule? Do I have to
>name the variable for another port something other than HTTP_PORTS? In
>the conf they have HTTP_PORTS for 8080 and 80.
You don't need to write a custom rule. However, you do need to repeatedly
include the same rulefiles over and over again, once for each port.
For example if I wanted web-attacks.rules to be used for ports 80, 8080 and
88, I'd do this:
var HTTP_PORTS 80
var HTTP_PORTS 8080
var HTTP_PORTS 88
The reason for the duplication is based in the fundamental structure of
snort rules. At present a singe rule cannot be written that accepts an
arbitrary list of ports. You can do a port, a range of ports (ie: 20:80) or
a negation of either, but no discontinuous lists are possible (ie:
80,88,8080 is not a valid port specification).
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users