Snort mailing list archives
Re: Proper Method and/or Place to Declare HTTP_SERVERS port?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 08 May 2002 17:46:08 -0400
Sorry, you're gonna have to edit the rules to do what you want.The rules probably should use some kind of var HTTP_PORT so this can easily be changed in snort.conf, but that might lead to people thinking they can use a comma delimited list of ports like you can for IP addresses.
http_decode is a preprocessor that "normalizes" the data so that certain tactics for avoiding detection are rendered useless. As best I understand, http_decode basically deals with the "alternate" ways of encoding a byte allowed in http (ie: %32 instead of 2) and converts them to common ascii prior to passing them along to the rules.
At 08:07 PM 5/8/2002 +0000, Vadim Pushkin wrote:
I am using port 8180 versus port 80. I would prefer not messing around with all of the rules files. I've noticed that the rules files themselves specify port 80, but my servers are listening on port 8180. Is there a way to change this in the snort.conf file? I've tried setting:preprocessor http_decode: 8180 -unicode -cginull but I still get alarms for hosts possibly port scanning my HTTP_SERVERS. Thank you Vadim _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Matt Kettler (May 08)
- <Possible follow-ups>
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Erek Adams (May 08)
- Re: Proper Method and/or Place to Declare HTTP_SERVERS port? Vadim Pushkin (May 09)