[Snort-devel] Reference information in rules

Martin Roesch roesch at ...48...
Sat Oct 14 02:44:07 EDT 2000


Joe McAlerney wrote:
> 
> Hello,
> 
> Has anybody thought about a way to store reference information for a
> particular rule?  There are a couple of reasons why the msg is not a
> good place to store this.  First, it seems like the msg keyword takes on
> two meanings - The "name" of an alert, and possibly a "reference" for
> where to find more information out about it (i.e., IDS, CAN, CVE,
> BUGTRAQ, etc).  It seems to make sense to split that information up.

There's actually been a lot of 'out of band' discussion about this going on
lately.  I think we're going to have to develop some sort of hard reference
data on a per rule basis at some point.  I've been getting queried quite a bit
by commercial entities about the possibility of doing something like this so
that they can have a hard reference number that's unique and "sanctioned" for
all of the Snort rules.  Having this separate from the msg data is a good idea
if for nothing else than to reduce clutter. (those things are going to get an
awful lot of cross reference data tucked away into them otherwise...)

> Secondly, if we had some reference variable array in the OTN, all the
> little plugins would have access to it.  I imagine people would want
> this information.  It would certainly be easier then parsing the msg,
> and much more reliable as well.  The problem here, is introducing an
> array of (possibly lengthy) char *'s in the OTN.  It could always be an
> option at configure time to use it.  I did something similar with the
> IDMEF XML plugin I am wrapping up, and it seems to work seamless and
> well.

I'm not quite sure what this buys us specifically here, can you clear it up
for me?

> What are your thoughts on this?  I don't think it would take to long to
> put together, and I would be willing to do so if people wanted.  Maybe
> it will inspire someone to start putting one ID or another on all the
> snort.org rules.  NOTE: my hand is not raised.

Good idea, but we've got to resolve how all this fits in with the arachNIDS
data, which has its own numbering scheme.  Max?

     -Marty

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list