Snort mailing list archives
Re: Question about var SERVICE_PORTS
From: Andreas Östling <andreaso () it su se>
Date: Fri, 9 Jan 2004 23:36:29 +0100 (CET)
On Fri, 9 Jan 2004, Schmehl, Paul L wrote:
In previous versions of snort, I had vars like this: SERVICE_PORTS xx xx xx xx E.g var HTTP_PORTS 80 443 8080 8887 IOW, a space separated lists of appropriate ports.
Unfortunately, Snort doesn't support port lists in any form and never has. The line "var HTTP_PORTS 80 443 8080 8887" will actually be silently parsed as "var HTTP_PORTS 80".
## var HTTP_PORTS 80 ## include somefile.rules ## var HTTP_PORTS 8080 ## include somefile.rules var HTTP_PORTS 80 Can someone please explain what the above notes mean? It looks like the explanation was left out of the sample conf file. Can we still define vars for ports as a space-separated list of ports? Do we need to put the list in some sort of include file now? How does this work now?
That's just a workaround for the fact that port lists aren't supported. The include trick sets a variable to something, loads a file where that variable is used in the rules, changes the variable and loads the same file again, i.e. the result is multiple identical rule except that the port changes in them. Implementing real port lists is not trivial because of how the internal optimizing works, but you may want to have a look at this thread for a workaround: http://marc.theaimsgroup.com/?l=snort-devel&m=107282430014686&w=2 http://marc.theaimsgroup.com/?l=snort-devel&m=107341476419431&w=2 It's basically a patch that allows you to specify port lists like var HTTP_PORTS [80,443,8080] that gives the same result as when using the include trick, i.e. it simply expands to multiple rules instead of being a true list, while being much easier to type and maintain. It has its drawbacks but I still find it very useful. I think I have a slightly improved patch somewhere if you want to try it out. /Andreas ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
- Re: Question about var SERVICE_PORTS Andreas Östling (Jan 09)
- <Possible follow-ups>
- RE: Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
- RE: Question about var SERVICE_PORTS Andreas Östling (Jan 09)