[Snort-users] My "wishlist" (small stuff).

Vitaly McLain twistah at ...93...
Sat Aug 19 20:42:07 EDT 2000


Hi Snorters,

I read about all this stuff that's planned for Snort, and I think that's
great. However I have a few small "wishes" which would not impact Snort
greatly, but make probably make life easier for a few people. Those include:

1) Being able to issue system commands from the rules file. Maybe something
like this:
var SYSTEM = `uname`
I don't know if using backticks is feasible or not, or if my concept is
feasible at all. I did have a few instances where I could have used
something like that though.

2) IP Grabbing: Just so that we don't have to mess around with sed/awk
scripts maybe add some code so that you can either specify HOME_NET on the
command-line, or so that Snort reads an IP from an environmental variable?
Once again, don't know how feasible/useful it'd be, but I could have used
it. My sed script still breaks (will try to fix tonight) because I use a
'cut' command to get an IP and I wind up with a space sometimes, breaking
the regex.

3) Less sensitive to 'bad files': I am not complaining here, but I notice
that Snort segfaults a lot when something is the matter with a rulesfile, or
it thinks something is the matter. Sometimes it's a space after the IP,
sometimes it's I-don't-know-what. I don't know if this can be fixed from a
programming standpoint, but if anyone has a few minutes to look at the code
that reads in the file...

Well, those are just some ideas I had. Maybe they are stupid, I just thought
they'd be usefull (at least I had a use for them at one time or another.)

Thanks for reading my rant :-)

Vitaly McLain
twistah at ...93...






More information about the Snort-users mailing list