Re: [Snort-users] multiple port variable fun
This is a discussion on Re: [Snort-users] multiple port variable fun within the Snort forums, part of the System Security and Security Related category; On 7/3/07, Ryan Hudson <ryan@mydingo.net.au> wrote: > Do you mean put that in ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-04-2007
|
|||
|
|||
Re: [Snort-users] multiple port variable fun
On 7/3/07, Ryan Hudson <ryan@mydingo.net.au> wrote:
> Do you mean put that in snort.conf? Because when i tried that it just > thought you were reading the same rules files multiple times and failed as > the same pid's were being used multiple times. And the http_ports variable > was over-written 3 times. > > -----Original Message----- > From: Leon Ward [mailto:seclists@rm-rf.co.uk] > Sent: Wednesday, 4 July 2007 3:27 AM > To: ryan@mydingo.net.au > Subject: Re: [Snort-users] multiple port variable fun > > Hi > > var HTTP_PORTS 80 > include http.rules > var HTTP_PORTS 8082 > include http.rules > var HTTP_PORTS 3001 > > > include http.rules Yeap, the SIDs will cause problems. Barnyard and Oinkmaster wouldn't play nice either. One possible solution is to create separate rules files for each port. This looks ugly... var HTTP_PORTS 8082 include $RULE_PATH/web-attacks_port_8082.rules include $RULE_PATH/web-cgi_port_8082.rules include $RULE_PATH/web-client_port_8082.rules include $RULE_PATH/web-coldfusion_port_8082.rules include $RULE_PATH/web-frontpage_port_8082.rules include $RULE_PATH/web-iis_port_8082.rules include $RULE_PATH/web-misc_port_8082.rules include $RULE_PATH/web-php_port_8082.rules include $RULE_PATH/bleeding-web_port_8082.rules var HTTP_PORTS 3001 include $RULE_PATH/web-attacks_port_3001.rules include $RULE_PATH/web-cgi_port_3001.rules include $RULE_PATH/web-client_port_3001.rules include $RULE_PATH/web-coldfusion_port_3001.rules include $RULE_PATH/web-frontpage_port_3001.rules include $RULE_PATH/web-iis_port_3001.rules include $RULE_PATH/web-misc_port_3001.rules include $RULE_PATH/web-php_port_3001.rules include $RULE_PATH/bleeding-web_port_3001.rules var HTTP_PORTS 80 include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/bleeding-web.rules You have to change the SIDs in each of the "port_8082" and "port_3001" files to something unique. Another problem would be keeping the rules for the other port files up to date. A quick search through the ChangeLog of 2.7.0 RC2 didn't turn up anything to indicate that HTTP_PORTS was fixed to accept multiple ports. The sample snort.conf file still includes, "We will adding support for a real list of ports in the future." The only mention of HTTP_PORTS in the source code is a define statement in sf_snort_plugin_api.h. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 08:01 AM.
