[Snort-devel] Reference information in rules

Martin Roesch roesch at ...48...
Sat Oct 14 02:44:07 EDT 2000

Joe McAlerney wrote:
> Hello,
> Has anybody thought about a way to store reference information for a
> particular rule?  There are a couple of reasons why the msg is not a
> good place to store this.  First, it seems like the msg keyword takes on
> two meanings - The "name" of an alert, and possibly a "reference" for
> where to find more information out about it (i.e., IDS, CAN, CVE,
> BUGTRAQ, etc).  It seems to make sense to split that information up.

There's actually been a lot of 'out of band' discussion about this going on
lately.  I think we're going to have to develop some sort of hard reference
data on a per rule basis at some point.  I've been getting queried quite a bit
by commercial entities about the possibility of doing something like this so
that they can have a hard reference number that's unique and "sanctioned" for
all of the Snort rules.  Having this separate from the msg data is a good idea
if for nothing else than to reduce clutter. (those things are going to get an
awful lot of cross reference data tucked away into them otherwise...)

> Secondly, if we had some reference variable array in the OTN, all the
> little plugins would have access to it.  I imagine people would want
> this information.  It would certainly be easier then parsing the msg,
> and much more reliable as well.  The problem here, is introducing an
> array of (possibly lengthy) char *'s in the OTN.  It could always be an
> option at configure time to use it.  I did something similar with the
> IDMEF XML plugin I am wrapping up, and it seems to work seamless and
> well.

I'm not quite sure what this buys us specifically here, can you clear it up
for me?

> What are your thoughts on this?  I don't think it would take to long to
> put together, and I would be willing to do so if people wanted.  Maybe
> it will inspire someone to start putting one ID or another on all the
> snort.org rules.  NOTE: my hand is not raised.

Good idea, but we've got to resolve how all this fits in with the arachNIDS
data, which has its own numbering scheme.  Max?


Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list