Network Security: Detailed info on Re: [Snort-users] multiple port variable fun

Subject:	Re: [Snort-users] multiple port variable fun
Date:	Wed, 4 Jul 2007 09:17:45 +0200

On 7/3/07, Ryan Hudson <ryan@mydingo.net.au> wrote:

Do you mean put that in snort.conf?  Because when i tried that it just
thought you were reading the same rules files multiple times and failed as
the same pid's were being used multiple times. And the http_ports variable
was over-written 3 times.

-----Original Message-----
From: Leon Ward [mailto:seclists@rm-rf.co.uk]
Sent: Wednesday, 4 July 2007 3:27 AM
To: ryan@mydingo.net.au
Subject: Re: [Snort-users] multiple port variable fun

Hi

var HTTP_PORTS 80
include http.rules
var HTTP_PORTS 8082
include http.rules
var HTTP_PORTS 3001

include http.rules


Yeap, the SIDs will cause problems.  Barnyard and Oinkmaster wouldn't
play nice either.  One possible solution is to create separate rules
files for each port.  This looks ugly...

var HTTP_PORTS 8082
include $RULE_PATH/web-attacks_port_8082.rules
include $RULE_PATH/web-cgi_port_8082.rules
include $RULE_PATH/web-client_port_8082.rules
include $RULE_PATH/web-coldfusion_port_8082.rules
include $RULE_PATH/web-frontpage_port_8082.rules
include $RULE_PATH/web-iis_port_8082.rules
include $RULE_PATH/web-misc_port_8082.rules
include $RULE_PATH/web-php_port_8082.rules
include $RULE_PATH/bleeding-web_port_8082.rules

var HTTP_PORTS 3001
include $RULE_PATH/web-attacks_port_3001.rules
include $RULE_PATH/web-cgi_port_3001.rules
include $RULE_PATH/web-client_port_3001.rules
include $RULE_PATH/web-coldfusion_port_3001.rules
include $RULE_PATH/web-frontpage_port_3001.rules
include $RULE_PATH/web-iis_port_3001.rules
include $RULE_PATH/web-misc_port_3001.rules
include $RULE_PATH/web-php_port_3001.rules
include $RULE_PATH/bleeding-web_port_3001.rules

var HTTP_PORTS 80
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/bleeding-web.rules


You have to change the SIDs in each of the "port_8082" and "port_3001"
files to something unique.

Another problem would be keeping the rules for the other port files up to date.

A quick search through the ChangeLog of 2.7.0 RC2 didn't turn up
anything to indicate that HTTP_PORTS was fixed to accept multiple
ports.  The sample snort.conf file still includes, "We will adding
support for a real list of ports in the future."  The only mention of
HTTP_PORTS in the source code is a define statement in
sf_snort_plugin_api.h.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] multiple port variable fun, ryan Message not available Re: [Snort-users] multiple port variable fun, Ryan Hudson Re: [Snort-users] multiple port variable fun, Jeffrey Denton <= Re: [Snort-users] multiple port variable fun, Frank Knobbe Re: [Snort-users] multiple port variable fun, Justin Heath

Previous by Date:	[Snort-users] PacSec 2007 Call For Papers (Nov. 29/30, deadline July 27), Dragos Ruiu
Next by Date:	[Snort-users] BASE Payload Search, Humes, David G.
Previous by Thread:	Re: [Snort-users] multiple port variable fun, Ryan Hudson
Next by Thread:	Re: [Snort-users] multiple port variable fun, Frank Knobbe
Indexes:	[Date] [Thread] [Top] [All Lists]