[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS
Darren Spruell
phatbuckett at gmail.com
Tue Sep 20 19:51:50 UTC 2011
Incidentally - how best to use the http proto tag? :)
Interested to hear impressions.
DS
On Mon, Sep 12, 2011 at 1:44 PM, Matthew Jonkman <jonkman at gmail.com> wrote:
> Some we do want to limit to http_ports, but more are legacy from prior to us understanding how best to use the http proto tag.
>
> Appreciate the reminder, we'll dig through and get them all to the correct state that are appropriate asap!
>
> Matt
>
>
>
> On Sep 12, 2011, at 3:56 PM, Darren Spruell wrote:
>
>> There's a number of rules in the Suricata rulesets (ET open, Pro) that
>> use the following rule header constructs:
>>
>> alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>
>> Is it intended to be using 'alert http" together with port-bound
>> variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
>> $HOME_NET any' construct although I can see restricting ports for
>> performance reasons in some cases.
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
--
Darren Spruell
phatbuckett at gmail.com
More information about the Oisf-users
mailing list