Snort mailing list archives

Re: Question about var SERVICE_PORTS

From: Andreas Östling <andreaso () it su se>
Date: Fri, 9 Jan 2004 23:36:29 +0100 (CET)


On Fri, 9 Jan 2004, Schmehl, Paul L wrote:


In previous versions of snort, I had vars like this:
SERVICE_PORTS xx xx xx xx
E.g var HTTP_PORTS 80 443 8080 8887

IOW, a space separated lists of appropriate ports.


Unfortunately, Snort doesn't support port lists in any form and never 
has. The line "var HTTP_PORTS 80 443 8080 8887" will actually be silently 
parsed as "var HTTP_PORTS 80".

## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

Can someone please explain what the above notes mean?  It looks like the
explanation was left out of the sample conf file.  Can we still define
vars for ports as a space-separated list of ports?  Do we need to put
the list in some sort of include file now?  How does this work now?


That's just a workaround for the fact that port lists aren't supported.
The include trick sets a variable to something, loads a file where that 
variable is used in the rules, changes the variable and loads the same 
file again, i.e. the result is multiple identical rule except that the 
port changes in them.

Implementing real port lists is not trivial because of how the 
internal optimizing works, but you may want to have a look at this thread 
for a workaround:

http://marc.theaimsgroup.com/?l=snort-devel&m=107282430014686&w=2
http://marc.theaimsgroup.com/?l=snort-devel&m=107341476419431&w=2

It's basically a patch that allows you to specify port lists like
var HTTP_PORTS [80,443,8080] that gives the same result as when using the 
include trick, i.e. it simply expands to multiple rules instead of being 
a true list, while being much easier to type and maintain. It has its 
drawbacks but I still find it very useful. I think I have a slightly 
improved patch somewhere if you want to try it out.

/Andreas


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
- Re: Question about var SERVICE_PORTS Andreas Östling (Jan 09)
- <Possible follow-ups>
- RE: Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
  - RE: Question about var SERVICE_PORTS Andreas Östling (Jan 09)