[Snort-users] shellcode_ports

Leon Ward leon.ward at ...1935...
Thu May 25 01:29:05 EDT 2006


Hi,

If a packet is destined to TCP:80 then it will only be run through  
the HTTP_PORTS 80 rule set.
If the packet is destined to TCP:8080 it will be run through the  
HTTP_PORTS 8080 rules and not the HTTP_PORTS 80 rules.

Take a look at :  "Snort 2.0 - Multi-Rule Inspection Engine" and  
"Snort 2.0 - Rule Optimizer" papers available on snort.org for full  
information.

Regards,

Leon


On 24 May 2006, at 18:09, Gentoo-Wally wrote:

> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
> include somefile.rules
>
> ouch, so a packet would have to be compared to any sig's in
> somefile.rules twice?
>
> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
>
> That should work right? It should then pickup the normal includes at
> the bottom of the snort.conf (as long as somefile.rules exsisted at
> the bottom also)?
>
> If you did a ...
>
> var HTTP_PORTS 80
> include somefile.rules
> var HTTP_PORTS 8080
> include somefile.rules
>
> ....
>
> include somefile.rules
>
> Then would it then compare a single packet 3 times (once as 80 and
> twice as 8080)?
>
> Wally
>
> On 5/24/06, Joel Esler <joel.esler at ...1935...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You must specify a different rule include after each port  
>> specification.
>>  The example in the Snort.conf is correct.
>>
>> Joel
>>
>> Gentoo-Wally wrote:
>> > Is there a better way to define SHELLCODE_PORTS other than !80?
>> >
>> > All the sig's using this var show..
>> >
>> > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  any
>> >
>> > If we really want to look for shellcode to any port from every port
>> > but 80 then why not on 80 also? Or why not also exclude 8080 and  
>> 443
>> > (or any other encrypted ports like 22)
>> >
>> > Assuming this works the same way as HTTP_PORTS...
>> >
>> > var SHELLCODE_PORTS !80
>> > var SHELLCODE_PORTS !8080
>> > var SHELLCODE_PORTS !443
>> > var SHELLCODE_PORTS !22
>> >
>> > Or even
>> > var SHELLCODE_PORTS !80
>> > var SHELLCODE_PORTS !8080
>> > var SHELLCODE_PORTS !443
>> > var SHELLCODE_PORTS !22
>> > var EXCLUDE !22
>> > var EXCLUDE !443
>> >
>> > and rewriting these sigs with oinkmaster to be...
>> >
>> > $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET  $EXCLUDE
>> >
>> > Since looking for shellcode on encrypted traffic is kind of a  
>> waste of
>> > time, right?
>> >
>> > What are others doing for this?
>> >
>> > This brings up another point...
>> >
>> > the snort.conf shows defining these port options for multiple  
>> ports like
>> > this...
>> >
>> > ## var HTTP_PORTS 80
>> > ## include somefile.rules
>> > ## var HTTP_PORTS 8080
>> > ## include somefile.rules
>> >
>> > is specifying an include after each port defined necessary or is  
>> the
>> > following adequate?
>> >
>> > var HTTP_PORTS 80
>> > var HTTP_PORTS 8080
>> > ...
>> > include somefile.rules
>> >
>> > using snort 2.4.4
>> >
>> > Thx,
>> > Wally
>> >
>> >
>> > -------------------------------------------------------
>> > All the advantages of Linux Managed Hosting--Without the Cost  
>> and Risk!
>> > Fully trained technicians. The highest number of Red Hat  
>> certifications in
>> > the hosting industry. Fanatical Support. Click to learn more
>> > http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr
>> 1uzYL7J529eS/9i0/3QSv9Y=
>> =CbcJ
>> -----END PGP SIGNATURE-----
>>
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and  
> Risk!
> Fully trained technicians. The highest number of Red Hat  
> certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list