[Snort-devel] Reference information in rules

Joe McAlerney joey at ...63...
Thu Oct 12 22:05:47 EDT 2000


Has anybody thought about a way to store reference information for a
particular rule?  There are a couple of reasons why the msg is not a
good place to store this.  First, it seems like the msg keyword takes on
two meanings - The "name" of an alert, and possibly a "reference" for
where to find more information out about it (i.e., IDS, CAN, CVE,
BUGTRAQ, etc).  It seems to make sense to split that information up.

Secondly, if we had some reference variable array in the OTN, all the
little plugins would have access to it.  I imagine people would want
this information.  It would certainly be easier then parsing the msg,
and much more reliable as well.  The problem here, is introducing an
array of (possibly lengthy) char *'s in the OTN.  It could always be an
option at configure time to use it.  I did something similar with the
IDMEF XML plugin I am wrapping up, and it seems to work seamless and

What are your thoughts on this?  I don't think it would take to long to
put together, and I would be willing to do so if people wanted.  Maybe
it will inspire someone to start putting one ID or another on all the
snort.org rules.  NOTE: my hand is not raised.

Thank you,

-Joe M.

+--                              --+
| Joe McAlerney, Silicon Defense   |
| http://www.silicondefense.com/   |
+--                              --+

More information about the Snort-devel mailing list