Snort mailing list archives

RE: RE: [Snort-sigs] ports

From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Wed, 5 Jan 2005 11:52:24 -0500

right, but that's not what you had.  It makes a world of difference if you
write it as an equivalent to:

var SPECIFIC_PORT 21
alert tcp any $SPECIFIC_PORT -> any any blah blah.
var SPECIFIC_PORT 110
alert tcp any $SPECIFIC_PORT -> any any blah blah.

Because you're re-defining that variable between the invocations of the
rule.  If you've only got one rule, it's kind of pointless to do it this
way.  If you've got a bunch, it could be handy (i.e., you've got a bunch of
IIS servers listening on both port 80 and 8080, so you do:

var HTTP_PORT 80
include web-iis.rules
var HTTP_PORT 8080
include web-iis.rules
)

-Joe

-----Original Message-----
From: Jason [mailto:security () brvenik com]
Sent: Wednesday, January 05, 2005 11:39 AM
To: Joe Patterson
Cc: snort-sigs () lists sourceforge net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] RE: [Snort-sigs] ports


IIRC this is the the FAQ or the manual

var SPECIFIC_PORT 21
include port_list.rules

var SPECIFIC_PORT 110
include port_list.rules

Joe Patterson wrote:


um, false.  The second variable definition would override the first,
which would leave you with the equivalent of:

alert tcp any 110 -> any any blah blah
which is not what you want.

-Joe

    -----Original Message-----
    *From:* snort-sigs-admin () lists sourceforge net
    [mailto:snort-sigs-admin () lists sourceforge net]*On Behalf Of *Esler,
    Joel - Contractor
    *Sent:* Wednesday, January 05, 2005 8:01 AM
    *To:* snort-sigs () lists sourceforge net;
    snort-users () lists sourceforge net
    *Subject:* RE: [Snort-sigs] ports

    you can't do a list of ports, the best you can do is something like

    ---snort.conf----
    var SPECIFIC_PORT 21
    var SPECIFIC_PORT 110

    then in your rule

    alert tcp any $SPECIFIC_PORT -> any any blah blah.

        -----Original Message-----
        *From:* snort-sigs-admin () lists sourceforge net
        [mailto:snort-sigs-admin () lists sourceforge net] *On Behalf Of
        *reynald
        *Sent:* Tuesday, January 04, 2005 10:49 PM
        *To:* snort-sigs () lists sourceforge net
        *Cc:* Reynald Mahinay
        *Subject:* [Snort-sigs] ports

        Hello,

        How can i define a list of ports? eg. 25,110 doesn't work... Now
        i know snort can do
        port ranging, but how about a specific list of ports only.

        please help..thanks


        reynald




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] ports Esler, Joel - Contractor (Jan 05)
- RE: [Snort-sigs] ports Joe Patterson (Jan 05)
  - Re: RE: [Snort-sigs] ports Jason (Jan 05)
    - RE: RE: [Snort-sigs] ports Joe Patterson (Jan 05)
    - Re: RE: [Snort-sigs] ports Jason (Jan 05)
    - RE: RE: [Snort-sigs] ports Joe Patterson (Jan 05)
    - Re: RE: [Snort-sigs] ports Jason (Jan 05)
    - SFS 1.0.2 released Ophir Rachman (Jan 05)
- <Possible follow-ups>
- RE: RE: [Snort-sigs] ports Esler, Joel - Contractor (Jan 05)