[Snort-users] shellcode_ports

Joel Esler joel.esler at ...1935...
Wed May 24 08:59:04 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You must specify a different rule include after each port specification.
 The example in the Snort.conf is correct.

Joel

Gentoo-Wally wrote:
> Is there a better way to define SHELLCODE_PORTS other than !80?
> 
> All the sig's using this var show..
> 
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  any
> 
> If we really want to look for shellcode to any port from every port
> but 80 then why not on 80 also? Or why not also exclude 8080 and 443
> (or any other encrypted ports like 22)
> 
> Assuming this works the same way as HTTP_PORTS...
> 
> var SHELLCODE_PORTS !80
> var SHELLCODE_PORTS !8080
> var SHELLCODE_PORTS !443
> var SHELLCODE_PORTS !22
> 
> Or even
> var SHELLCODE_PORTS !80
> var SHELLCODE_PORTS !8080
> var SHELLCODE_PORTS !443
> var SHELLCODE_PORTS !22
> var EXCLUDE !22
> var EXCLUDE !443
> 
> and rewriting these sigs with oinkmaster to be...
> 
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  $EXCLUDE
> 
> Since looking for shellcode on encrypted traffic is kind of a waste of
> time, right?
> 
> What are others doing for this?
> 
> This brings up another point...
> 
> the snort.conf shows defining these port options for multiple ports like
> this...
> 
> ## var HTTP_PORTS 80
> ## include somefile.rules
> ## var HTTP_PORTS 8080
> ## include somefile.rules
> 
> is specifying an include after each port defined necessary or is the
> following adequate?
> 
> var HTTP_PORTS 80
> var HTTP_PORTS 8080
> ...
> include somefile.rules
> 
> using snort 2.4.4
> 
> Thx,
> Wally
> 
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr
1uzYL7J529eS/9i0/3QSv9Y=
=CbcJ
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list