Snort Configuration Question (var HTTP_PORTS)
Results 1 to 9 of 9

Thread: Snort Configuration Question (var HTTP_PORTS)

  1. #1
    Member
    Join Date
    Sep 2003
    Posts
    42

    Snort Configuration Question (var HTTP_PORTS)

    After some experimenting I've realized that you cannot list ports for PORT variables in the snort.conf files. I actually just read in some Sourcefire documentation that if you list port with commas it will only take the first value. There is really no way to list ports... hat I know of. I could be missing something, though.

    Now, in my "imaginary" world i have webservers that run on more than one port. 80 8080 443... I'd like to add these to my var HTTP_PORTS, but cannot. Has anyone found a work around or a fix for this?

    Also, I read that you cannot list ports in the signatures either, not that I want to do this.

    So far I've tried a few different types of listing methods after the var HTTP_PORTS declaration. I've also tried adding a second var HTTP_PORTS variable with a different port, but Snort only picks up the first instance of var HTTP_PORTS.

    Any ideas?

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    From the snort.conf file:

    # var HTTP_PORTS 8081
    #
    # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
    # We will adding support for a real list of ports in the future.


    Meaning you have to list them with a colon (no spaces)

    the part i'm not certain about is if you need to use the square brackets like you do with a list of IP ranges for the HOME_NET variable.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    Member
    Join Date
    Sep 2003
    Posts
    42
    My understanding of the : is that it makes the "list" a range. So it I put 80:8080 it will look at all ports between 80 and 8080. Not just 80 and 8080 as a list.

    Is this correct or am I misunderstanding?

    Thank you for your help!!!

  4. #4
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    When they say continuous, they are refering to how it is typed, not a range, that is my understanding, but i could be wrong, have you tried it yet? I will try this myself.
    try either:

    var HTTP_PORTS 8081:8080:80:443

    or

    var HTTP_PORTS [8081:8080:80:443]

    I tried it with a space after the colon, but i think it reads the first one and then sees the space as the end of the list, giving you a false indication it worked, I'm going to have a look at the source code and see if i can see how it parses the line. Neither of the above methods worked either.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  5. #5
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    OK, Apparently you can only use one other port

    var HTTP_PORTS 80:8080

    The above works, i am pretty certain it wouldn't be a range since it would include so many other services such as ident(port 113) and what ever else is in that range, producing false positives.

    As they said in the snort.conf, they will be implementing a support for a real list in the future.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  6. #6
    Member
    Join Date
    Sep 2003
    Posts
    42
    Yeah, I just ran a test with te : and it hits every in the range.

    Test:

    var TEST 20:1500

    It triggered on 20, 1500, and everything in between

    Hmm, I'm going to play around a little more.

  7. #7
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    You might want to have a look at this, even though it is almost 2 years old. The issues seems to be how much overhead using multiple ports puts on snort. The below URL shows one solution included in the snort.conf and a patch that does the same thing via snort.

    http://marc.theaimsgroup.com/?l=snor...2430014686&w=2
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I had this problem before and managed to find a way around it.

    Reload the rules file for every server you have, as in

    Code:
    var HTTP_PORTS 80
    include web-iis.rules
    var HTTP_PORTS 8080
    include web-iis.rules
    var HTTP_PORTS 3128
    include web-iis.rules
    This would load the same ruleset three times, with a different port number for each server. I found this was the easiest way to work around this problem. I would imagine it takes slightly more memory, but it should not increase processor load by too much, as the rule would need to be compared against three webservers anyway.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  9. #9
    Member
    Join Date
    Jun 2004
    Posts
    37
    You should make sure all your http servers are in the http_inspect preprocessor. That way, all traffic that is http in nature is inspected on it's particular port. (you can make mutiple port statements in the preprocessor).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •