Snort mailing list archives
Port agnostic application layer protocol identification and parsing
From: Miso Patel <miso.patel () gmail com>
Date: Fri, 18 Nov 2011 10:42:18 -0600
I know Snort can do application layer parsing of certain protocols like HTTP, FTP, SMTP, etc. but can Snort identify these across all ports or do you have to specify specific ports? I saw in snortconf that you specify ports for server in http_inspect. I suppose one could specify all 65,536 ports to look on but does that impact performance? Has anyone tried this? Sometimes I worry people will set up a FTP server or HTTP proxy at home on an ephemeral port like 65535 and we won't see it and they can bypass web filters and firewalls. Thank you. Miso, CISO ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Port agnostic application layer protocol identification and parsing Miso Patel (Nov 18)
- Re: Port agnostic application layer protocol identification and parsing Bennett Todd (Nov 18)