Snort mailing list archives
RE: Question about var SERVICE_PORTS
From: Andreas Östling <andreaso () it su se>
Date: Sat, 10 Jan 2004 00:12:31 +0100 (CET)
On Fri, 9 Jan 2004, Schmehl, Paul L wrote:
Seems like the var SOMEPORTS [80,443,8080], var HTTP_PORTS $SOMEPORTS would be the way to go. Is there a drawback to that? I understand how your patch works, but I'd prefer not to patch snort, because then I have remember to patch it again every time I upgrade. I'm lazy and I've got way too many things to do already. :-)
Hello (and thanks). The major drawback is that negations doesn't work when you do simple expansion, like: alert tcp any any -> any ![80,443,8080] would become: alert tcp any any -> any !80 alert tcp any any -> any !443 alert tcp any any -> any !8080 which is NOT what you want/expect :) And then there is a possible performance issue as this creates multiple rules with one port in each instead of staying a single rule with a true port list. So it's really just simpler way of doing the include trick until it's fixed the real way. /Andreas ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
- Re: Question about var SERVICE_PORTS Andreas Östling (Jan 09)
- <Possible follow-ups>
- RE: Question about var SERVICE_PORTS Schmehl, Paul L (Jan 09)
- RE: Question about var SERVICE_PORTS Andreas Östling (Jan 09)