[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS

Matthew Jonkman jonkman at gmail.com
Mon Sep 12 20:44:41 UTC 2011


Some we do want to limit to http_ports, but more are legacy from prior to us understanding how best to use the http proto tag.

Appreciate the reminder, we'll dig through and get them all to the correct state that are appropriate asap!

Matt



On Sep 12, 2011, at 3:56 PM, Darren Spruell wrote:

> There's a number of rules in the Suricata rulesets (ET open, Pro) that
> use the following rule header constructs:
> 
> alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> 
> Is it intended to be using 'alert http" together with port-bound
> variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
> $HOME_NET any' construct although I can see restricting ports for
> performance reasons in some cases.
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------




More information about the Oisf-users mailing list