Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] RE: [Snort-sigs] ports

from [Esler, Joel - Contractor] Network Security [Permanent Link]
Subject: RE: [Snort-users] RE: [Snort-sigs] ports
Date: Wed, 5 Jan 2005 13:54:44 -0500 
Alrighty, break it up..  ;)

I was incorrect, you're right.  According to the "TODO" included with
2.3.0RC2, port ranges are being worked on, so hopefully that will be
fixed soon.

Joel

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Joe
Patterson
Sent: Wednesday, January 05, 2005 1:52 PM
To: Jason
Cc: snort-sigs@lists.sourceforge.net; snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] RE: [Snort-sigs] ports



-----Original Message-----
From: Jason [mailto:security@brvenik.com]

[...]


Joe Patterson wrote:

right, but that's not what you had.  It makes a world of

difference if you

write it as an equivalent to:


[...]

- I had nothing.


Sorry, I mis-attributed the original response, which wasn't yours.  Mea
culpa.  Should have read "that's not what he had".


- "um, false..." is not value.


And if that had been the total content of my reply, then it would have
been pointless to send.  But there *was* some more content, specifically
the
*reason* why the proposed solution wouldn't work as advertised.


- If you knew the proper answer why didn't you provide it in your 
first reply?


The completely proper answer is that, AFAIK, if you want to do the same
content etc. checks on two or more non-contiguous ports, you cannot do
it with one rule, it must be done with multiple rules.  There are
several ways to cause snort to see multiple rules.  The most basic
method is to simply write multiple rules.  A slightly more elegant, but
still kludgy, method is described in the FAQ (4.27).  I didn't realize
that Joel was attempting to explain what the FAQ said until you pointed
out what he may have meant.  It then became clear that there was a more
proper answer.  And I'm not even sure that it really is a proper answer.
The original poster didn't specify whether he has a single rule that he
wants to apply a port list to, or a whole bunch of them.  If it's a
single rule, then, IMHO, it's better to have multiple instances of the
rule, one for each port.  If it's a whole bunch of rules, then it makes
more sense to me to use the method from the FAQ, put them all in one
rule file, and have multiple includes with variable re-definitions
between them.  Functionally, it's the same either way, it's just a
matter of rule file maintainability and cleanliness.


- Thx for playing.


always a pleasure.

-Joe



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE
limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and
FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Snort-users] RE: [Snort-sigs] ports, Esler, Joel - Contractor <=
Previous by Date:  RE: [Snort-users] RE: [Snort-sigs] ports, Joe Patterson
Next by Date:  Re: [Snort-users] RE: [Snort-sigs] ports, Jason
Previous by Thread:  [Snort-sigs] ports, reynald
Next by Thread:  [Snort-sigs] RE: [Snort-users] SFS 1.0.2 released, Ron Jenkins
Indexes:  [Date] [Thread] [Top] [All Lists]