[Snort-users] HTTP_PORTS

Chuck Holley cholley at ...11679...
Wed Apr 21 14:04:05 EDT 2004


I put in the HTTP_PORTS variables for the different ports. Now snort wont
start.  Its trying to find the rules under "/etc/snort"  and of course their
not there. What's up?  Do I need to put the RULE_PATH variable in?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Wednesday, April 21, 2004 4:29 PM
To: Chuck Holley; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] HTTP_PORTS

At 03:29 PM 4/21/2004, Chuck Holley wrote:
>I have a lot of web sites, on which I use many ports.  I am a little 
>confused on how to variable these in the conf.
>
>Var HTTP_PORTS
>Include somefile.rules
>
>What does that mean.  Am I suuposed to write a custom rule?  Do I have to 
>name the variable for another port something other than HTTP_PORTS?  In 
>the conf they have HTTP_PORTS for 8080 and 80.

You don't need to write a custom rule. However, you do need to repeatedly 
include the same rulefiles over and over again, once for each port.

For example if I wanted web-attacks.rules to be used for ports 80, 8080 and 
88, I'd do this:

var HTTP_PORTS 80
include web-attacks.rules

var HTTP_PORTS 8080
include web-attacks.rules

var HTTP_PORTS 88
include web-attacks.rules


The reason for the duplication is based in the fundamental structure of 
snort rules.  At present a singe rule cannot be written that accepts an 
arbitrary list of ports. You can do a port, a range of ports (ie: 20:80) or 
a negation of either, but no discontinuous lists are possible (ie: 
80,88,8080 is not a valid port specification).




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list