Snort mailing list archives
Re: Enabling all ports on 'http_inspect_server'
From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 25 Oct 2018 14:46:36 +0000
One of the many improvements of Snort 3: -- in your lua config http_inspect = { -- your settings } binder = { -- put your explicit port / address -> inspector bindings here -- { when = { criteria }, use = { name or type = ‘name_of_inspector’ } }, { use = { name = ‘wizard’ } } -- if nothing explicit matches, use automatic service detection } wizard = default_wizard -- define automatic service detection From: Snort-users <snort-users-bounces () lists snort org> on behalf of Junaid Bohio via Snort-users <snort-users () lists snort org> Reply-To: Junaid Bohio <mjbohio () gmail com> Date: Thursday, October 25, 2018 at 10:32 AM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: [Snort-users] Enabling all ports on 'http_inspect_server' Hi, I am wondering if Snort allows to enable all ports under 'http_inspect_server' server? In case of normal HTTP traffic, listing few standard ports is sufficient, but in case of malware traffic the remote control server can be listening on any port. If a non-standard port is not listed under that config then HTTP modifiers like 'http_uri', 'http_header', etc. don't work. I have done various tests and it doesn't seem to be accepting port range or all ports (most likely for performance reasons) but i just want to verify it here. Thank you!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Enabling all ports on 'http_inspect_server' Junaid Bohio via Snort-users (Oct 25)
- Re: Enabling all ports on 'http_inspect_server' Carter Waxman (cwaxman) via Snort-users (Oct 25)
- Re: Enabling all ports on 'http_inspect_server' Junaid Bohio via Snort-users (Oct 25)
- Re: Enabling all ports on 'http_inspect_server' Carter Waxman (cwaxman) via Snort-users (Oct 25)