Is there a better way to define SHELLCODE_PORTS other than !80?
All the sig's using this var show..
$EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
If we really want to look for shellcode to any port from every port
but 80 then why not on 80 also? Or why not also exclude 8080 and 443
(or any other encrypted ports like 22)
Assuming this works the same way as HTTP_PORTS...
var SHELLCODE_PORTS !80
var SHELLCODE_PORTS !8080
var SHELLCODE_PORTS !443
var SHELLCODE_PORTS !22
Or even
var SHELLCODE_PORTS !80
var SHELLCODE_PORTS !8080
var SHELLCODE_PORTS !443
var SHELLCODE_PORTS !22
var EXCLUDE !22
var EXCLUDE !443
and rewriting these sigs with oinkmaster to be...
$EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET $EXCLUDE
Since looking for shellcode on encrypted traffic is kind of a waste of
time, right?
What are others doing for this?
This brings up another point...
the snort.conf shows defining these port options for multiple ports like this...
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
is specifying an include after each port defined necessary or is the
following adequate?
var HTTP_PORTS 80
var HTTP_PORTS 8080
...
include somefile.rules
using snort 2.4.4
Thx,
Wally
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
