[Snort-users] Greetins and some suggestions

Borja Marcos borjamar at ...778...
Fri Nov 10 19:04:47 EST 2000


	Hello,

	First, I would like th thank the authors for their exellent work.
This program is really useful. Especially when coupled to ACID!!

	Now, the suggestions :-)

	I am running snort under FreeBSD. FreeBSD has a great feature;
you don't need to be root to be able to use BPF. You just need access
to /dev/bpf?. So, if you create a group called (for example)
"sniff" and make the users under which uids you run snort member
of the group... voila!

	Right now my snort is running happily as user "snort".

	Second thing, regarding to the rules: I think it should
be great if I could specify some exceptions to the rules.
In my actual example, I have a machine with a CGI called count.cgi
which *must* be accessed, but some other webservers in the network
do *not* have it. So, it would be great to do something like:

pass_abort tcp !$HOME_NET any -> 192.148.167.195/32 80
(msg:"WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;)
alert tcp !$HOME_NET any -> !192.148.167.195/32 80
(msg:"WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;)

	(or something similar. I mean, if a packet matches the
rule, do not examine it anyomer).

	I know this can be tricky to configure, but would prove
to be really useful.



	Regards,





	Borja.



More information about the Snort-users mailing list