[Snort-users] Users and Groups for Snort rules - files

Neil Dickey neil at ...1633...
Thu Apr 17 14:59:04 EDT 2003

Kit Massengill <KitM at ...8919...> wrote:

>Now....speaking of 2.0 rules....I copied the 2.0 rules into the area where I
>had the 1.9 rules - over the old rules.  
>Now, the rules all have as the "User" 1106 and the "Group" as 2001 - all the
>other files in the directory (*.map, *.config, etc.) have as "User"  1006
>and as "Group" 1006 - the same designations as all of them had when I first
>installed Snort 1.9......
>is all this cool, or do I need to "fix" this.

Those are the uids ( user-ids ) and gids ( group-ids ) of the folks who
made those files in the pigpen where Snort was born.  The fact that they
show up as numbers on your system means that those user and group ids
are not currently assigned to anyone on your system.  The situation is
therefore at best untidy, and could get worse.  As a for-instance, if
those uids and gids are later assigned to some user then that user will
own your Snort rules and could tweak them at will.

I'd chown everything to whatever user and group you are running Snort
under, and my own practice is to make sure the world cannot visit the
directory they are held in or read the rules files themselves.

Another suggestion I have is to confine your own rule writing as much as
possible to the "local.rules" file.  That practice makes migrating to
new rules file collections much easier.

You may get better answers than mine posted to the list, and, if so, I'll
learn something too.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

More information about the Snort-users mailing list