[Snort-users] Any idea when multiple port support is coming?

Jason Haar Jason.Haar at ...294...
Tue Dec 6 19:01:03 EST 2005


Hi there

Says it all really. From an efficiency perspective, I really need to be
able to define things like

var HTTP_PORTS 80,3128,8080

so that single rules can trigger on HTTP traffic that is both direct,
and/or via a proxy. Currently this would involve converting something
like the 1217 web-*.rules into over 3.5K...

At the moment, I've had to turn tonnes of intranet rules from
$HTTP_PORTS to "any" to effect the same change more efficiently - but
now get whacked with tonnes of false positives on SMTP traffic (so now
I've changed "any" to "!25" - but you get the drift)

Any hint to when/if this feature will show up?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list