[Snort-users] Future plans

Paul Schmehl pauls at ...6838...
Wed May 26 12:21:11 EDT 2004


Are there any plans in the future to allow snort to ignore a comma 
separated list of ports?  This sig, ATTACK-RESPONSES id check returned 
root, is  perfect example of something that would benefit from that 
ability.  I have 177 alerts right now, and the vast majority of them are on 
ports 25, 80 and 143.  Well doh!

I would love to see the ability to list ports like this:

alert tcp $EXTERNAL_NET !80 -> $HOME_NET !25,143 (blah) or

var IGNORE_EMAIL [25,143]

alert tcp $EXTERNAL_NET http -> $HOME_NET !$IGNORE_EMAIL (blah)

Please, please, pretty please...... :-)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-users mailing list