[Snort-users] Hello Snort Team
general at ...17107...
Sun May 21 15:10:14 EDT 2017
> On May 21, 2017, at 2:58 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
> Technically, http can be on any port. So, you can either use openappid to identify services instead of ports, or Snort3, which is service aware by default, but has no ruleset yet.
> We've added that many ports to HTTP_PORTS as we've seen exploit activity in the wild over those ports.
Good point - I hadn't considered HTTP/S traffic from exploits.
I will definitely be looking into Open AppID - I skipped that portion of the manual (which I will rectify a second time around!). I will use that for my 2.9.9.x install of Snort.
I'd really like to move to Snort 3 for the support of Lua rules (I am currently using Lua with the ModSec WAF and I love it), and for the refactored code in C++ (C++ is one of the languages I am familiar with). I've been following its' progress - currently at alpha 4, a recent push to patch some security vulnerabilities detected and the Talos blog that says a beta is scheduled around summer.
I was wondering - would it be stable enough to run on my low volume web host ? It is not a mission critical server and I'd like to work with Snort 3 as the code base develops.
More information about the Snort-users