[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS

Matthew Jonkman jonkman at gmail.com
Mon Sep 12 20:44:41 UTC 2011

Some we do want to limit to http_ports, but more are legacy from prior to us understanding how best to use the http proto tag.

Appreciate the reminder, we'll dig through and get them all to the correct state that are appropriate asap!


On Sep 12, 2011, at 3:56 PM, Darren Spruell wrote:

> There's a number of rules in the Suricata rulesets (ET open, Pro) that
> use the following rule header constructs:
> alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> Is it intended to be using 'alert http" together with port-bound
> variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
> $HOME_NET any' construct although I can see restricting ports for
> performance reasons in some cases.
> -- 
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Oisf-users mailing list