[Snort-users] filters

Drew Smith drew at ...11193...
Wed Feb 11 12:22:04 EST 2004


Greetings to the list. Newbie to the list onboard.

I've just recently upgraded to snort-2.1.1-RC1 and over the past few
days I've working on getting some of the http stuff worked out. After
having done the RTFD thing over and over, I have to ask. It is stated in
the default snort.conf that I can't use "var HTTP_PORTS [80,8080]", but
I should use [80:8080] instead? I can't do that. If I set up my ports
that way, rules that use HTTP_PORTS break. scan.rules barf's on doing a
config test

I have found however that by using "var HTTP_PORTS 80: 443: 8007" it
doesn't complain and "var HTTP_PORTS 80: 443: 8007" seems to work as
well. Or does it? I'm not so sure it is actually getting the other ports
however. I'm pretty much certain that using the [] in the assignment
doesn't want to work, not with 1 port defined or several. Is there any
easy way to figure out exactly what HTTP_PORTS is defined to? 

Drew
-- there comes a time in the trial and error process that one must give
in and RTFD. And when that fails, ask.





More information about the Snort-users mailing list