[Snort-users] multiple port variable fun

Jeffrey Denton dentonj at ...11827...
Wed Jul 4 03:17:45 EDT 2007


On 7/3/07, Ryan Hudson <ryan at ...14163...> wrote:
> Do you mean put that in snort.conf?  Because when i tried that it just
> thought you were reading the same rules files multiple times and failed as
> the same pid's were being used multiple times. And the http_ports variable
> was over-written 3 times.
>
> -----Original Message-----
> From: Leon Ward [mailto:seclists at ...14165...]
> Sent: Wednesday, 4 July 2007 3:27 AM
> To: ryan at ...14163...
> Subject: Re: [Snort-users] multiple port variable fun
>
> Hi
>
> var HTTP_PORTS 80
> include http.rules
> var HTTP_PORTS 8082
> include http.rules
> var HTTP_PORTS 3001
>
>
> include http.rules

Yeap, the SIDs will cause problems.  Barnyard and Oinkmaster wouldn't
play nice either.  One possible solution is to create separate rules
files for each port.  This looks ugly...

var HTTP_PORTS 8082
include $RULE_PATH/web-attacks_port_8082.rules
include $RULE_PATH/web-cgi_port_8082.rules
include $RULE_PATH/web-client_port_8082.rules
include $RULE_PATH/web-coldfusion_port_8082.rules
include $RULE_PATH/web-frontpage_port_8082.rules
include $RULE_PATH/web-iis_port_8082.rules
include $RULE_PATH/web-misc_port_8082.rules
include $RULE_PATH/web-php_port_8082.rules
include $RULE_PATH/bleeding-web_port_8082.rules

var HTTP_PORTS 3001
include $RULE_PATH/web-attacks_port_3001.rules
include $RULE_PATH/web-cgi_port_3001.rules
include $RULE_PATH/web-client_port_3001.rules
include $RULE_PATH/web-coldfusion_port_3001.rules
include $RULE_PATH/web-frontpage_port_3001.rules
include $RULE_PATH/web-iis_port_3001.rules
include $RULE_PATH/web-misc_port_3001.rules
include $RULE_PATH/web-php_port_3001.rules
include $RULE_PATH/bleeding-web_port_3001.rules

var HTTP_PORTS 80
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/bleeding-web.rules


You have to change the SIDs in each of the "port_8082" and "port_3001"
files to something unique.

Another problem would be keeping the rules for the other port files up to date.

A quick search through the ChangeLog of 2.7.0 RC2 didn't turn up
anything to indicate that HTTP_PORTS was fixed to accept multiple
ports.  The sample snort.conf file still includes, "We will adding
support for a real list of ports in the future."  The only mention of
HTTP_PORTS in the source code is a define statement in
sf_snort_plugin_api.h.




More information about the Snort-users mailing list