This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bug in Perf.Tuning>HTTP Service: specified 2 ports

I specified 80:8080 ports at "Intrusion Protection >> Advanced >> Performance Tuning >> HTTP Service:"

[ QUOTE ]
HTTP Service: Chooses the destination port number of HTTP traffic. Change or define the service in Definitions->Services if necessary - only the destination port number of the definition is actually used. If you specify a destination port range, then the first and the last port is used . For example, if you specified 80:8080, then HTTP rules are applied for destination ports 80 and 8080.

[/ QUOTE ]

and I have at my logs many False Positives like this:

2004:09:22-16:00:02 (none) snort[1025]: [1:1333:0] D WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {PROTO006} 207.46.244.222:443 -> 192.168.0.201: 4373

This thread was automatically locked due to age.

0 Stephan_Scholz over 21 years ago

Hi WaMaR,

unfortunately this is a limitation of Snort. For the Snort preprocessors, everything works as described - the first and last port of the range is used. For Snort rules, however, the whole range is used. This leads to the false positives.

Stephan
Cancel
Vote Up 0 Vote Down

Cancel