[Snort-users] filters

Matt Kettler mkettler at ...4108...
Wed Feb 11 14:14:03 EST 2004

At 03:20 PM 2/11/2004, Drew Smith wrote:
>I've just recently upgraded to snort-2.1.1-RC1 and over the past few
>days I've working on getting some of the http stuff worked out. After
>having done the RTFD thing over and over, I have to ask. It is stated in
>the default snort.conf that I can't use "var HTTP_PORTS [80,8080]", but
>I should use [80:8080] instead? I can't do that. If I set up my ports
>that way, rules that use HTTP_PORTS break.

If you RTFD a bit closer, they suggest that you use 80:8080 not [80:8080].

Does it work better without the []?

snort.conf: Port lists must either be continuous [eg 80:8080], or a single 
port [eg 80].

In the two examples above, the [] are part of the text, not the suggested 

More information about the Snort-users mailing list