After some experimenting I've realized that you cannot list ports for PORT variables in the snort.conf files. I actually just read in some Sourcefire documentation that if you list port with commas it will only take the first value. There is really no way to list ports... hat I know of. I could be missing something, though.

Now, in my "imaginary" world i have webservers that run on more than one port. 80 8080 443... I'd like to add these to my var HTTP_PORTS, but cannot. Has anyone found a work around or a fix for this?

Also, I read that you cannot list ports in the signatures either, not that I want to do this.

So far I've tried a few different types of listing methods after the var HTTP_PORTS declaration. I've also tried adding a second var HTTP_PORTS variable with a different port, but Snort only picks up the first instance of var HTTP_PORTS.

Any ideas?