|
|
Re: portrange: msg#00022security.ids.snort.devel
On a sidenote, I wrote a patch to the portscan_ignorehosts preprocessor option that allows one to specify port ranges. I haven't finished the one for portscan2 or even thought about sfportscan. If anyone wants it let me know. -- john On Fri, Apr 28, 2006 at 07:01:11PM -0500, John Newman wrote: > Just curious - why doesn't snort support the BPF portrange expression, > where it otherwise seems to match up with tcpdump's expression syntax > exactly? This would be extremely useful for sites that e.g. have their > ftpaccess files set so that all passive ports are opened in a certain > range - then you could do > > snort -A fast -i br0 not dst portange XXX-XXXX > > rather than having to do "not dst port X and not dst port X+1 and ..." > which, on my box, with 1000 ports, makes snort start rather slowly. > > BTW, here is the error I get when I try to use the portrange option. > Maybe it's my version of pcap? (I don't think so because the same > expression works fine in tcpdump). > > ERROR: OpenPcap() FSM compilation failed: > unknown host 'portrange' > > -- > John Newman > Systems Administrator, WebXess Inc. > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-devel mailing list > Snort-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/snort-devel -- John Newman Systems Administrator, WebXess Inc. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | portrange: 00022, John Newman |
|---|---|
| Next by Date: | Re: portrange: 00022, Chris Kuethe |
| Previous by Thread: | portrangei: 00022, John Newman |
| Next by Thread: | Re: portrange: 00022, Chris Kuethe |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |