Hi,
If a packet is destined to TCP:80 then it will only be run through
the HTTP_PORTS 80 rule set.
If the packet is destined to TCP:8080 it will be run through the
HTTP_PORTS 8080 rules and not the HTTP_PORTS 80 rules.
Take a look at : "Snort 2.0 - Multi-Rule Inspection Engine" and
"Snort 2.0 - Rule Optimizer" papers available on snort.org for full
information.
Regards,
Leon
On 24 May 2006, at 18:09, Gentoo-Wally wrote:
var HTTP_PORTS 80
include somefile.rules
var HTTP_PORTS 8080
include somefile.rules
ouch, so a packet would have to be compared to any sig's in
somefile.rules twice?
var HTTP_PORTS 80
include somefile.rules
var HTTP_PORTS 8080
That should work right? It should then pickup the normal includes at
the bottom of the snort.conf (as long as somefile.rules exsisted at
the bottom also)?
If you did a ...
var HTTP_PORTS 80
include somefile.rules
var HTTP_PORTS 8080
include somefile.rules
....
include somefile.rules
Then would it then compare a single packet 3 times (once as 80 and
twice as 8080)?
Wally
On 5/24/06, Joel Esler <joel.esler@sourcefire.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You must specify a different rule include after each port
specification.
The example in the Snort.conf is correct.
Joel
Gentoo-Wally wrote:
> Is there a better way to define SHELLCODE_PORTS other than !80?
>
> All the sig's using this var show..
>
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
>
> If we really want to look for shellcode to any port from every port
> but 80 then why not on 80 also? Or why not also exclude 8080 and
443
> (or any other encrypted ports like 22)
>
> Assuming this works the same way as HTTP_PORTS...
>
> var SHELLCODE_PORTS !80
> var SHELLCODE_PORTS !8080
> var SHELLCODE_PORTS !443
> var SHELLCODE_PORTS !22
>
> Or even
> var SHELLCODE_PORTS !80
> var SHELLCODE_PORTS !8080
> var SHELLCODE_PORTS !443
> var SHELLCODE_PORTS !22
> var EXCLUDE !22
> var EXCLUDE !443
>
> and rewriting these sigs with oinkmaster to be...
>
> $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET $EXCLUDE
>
> Since looking for shellcode on encrypted traffic is kind of a
waste of
> time, right?
>
> What are others doing for this?
>
> This brings up another point...
>
> the snort.conf shows defining these port options for multiple
ports like
> this...
>
> ## var HTTP_PORTS 80
> ## include somefile.rules
> ## var HTTP_PORTS 8080
> ## include somefile.rules
>
> is specifying an include after each port defined necessary or is
the
> following adequate?
>
> var HTTP_PORTS 80
> var HTTP_PORTS 8080
> ...
> include somefile.rules
>
> using snort 2.4.4
>
> Thx,
> Wally
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost
and Risk!
> Fully trained technicians. The highest number of Red Hat
certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=k&kid�7521&bid$8729&dat�1642
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEdIKZKbCSyXHckt4RArkXAKCRcrK5gwT39TSyBQTIDhQuvYxvfQCfUBKr
1uzYL7J529eS/9i0/3QSv9Y=
=CbcJ
-----END PGP SIGNATURE-----
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and
Risk!
Fully trained technicians. The highest number of Red Hat
certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid�7521&bid$8729&dat�1642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
