[Snort-devel] Reference information in rules
joey at ...63...
Mon Oct 16 14:12:03 EDT 2000
Martin Roesch wrote:
> Joe McAlerney wrote:
> > Secondly, if we had some reference variable array in the OTN, all the
> > little plugins would have access to it. I imagine people would want
> > this information. It would certainly be easier then parsing the msg,
> > and much more reliable as well. The problem here, is introducing an
> > array of (possibly lengthy) char *'s in the OTN. It could always be an
> > option at configure time to use it. I did something similar with the
> > IDMEF XML plugin I am wrapping up, and it seems to work seamless and
> > well.
> I'm not quite sure what this buys us specifically here, can you clear it up
> for me?
Originally I was thinking of adding a "char *reference" to an OTN, which
could be accessed by the plugins via otn_tmp - similar to msg. Then I
realized that there can be multiple identification numbers, or
references, per rule. We would need a list. This would work well for
some of the ArachNIDS rules that already have CVE and IDS numbers.
> > What are your thoughts on this? I don't think it would take to long to
> > put together, and I would be willing to do so if people wanted. Maybe
> > it will inspire someone to start putting one ID or another on all the
> > snort.org rules. NOTE: my hand is not raised.
> Good idea, but we've got to resolve how all this fits in with the arachNIDS
> data, which has its own numbering scheme. Max?
I wasn't actually proposing that snort.org start it's own numbering
scheme, but rather continue it's efforts in matching up existing ID
numbers to the rules. This is obviously a non-trivial and time
consuming process, because there are still around 672 rules out of 1230
without ID's (or so my script tells me). I was happy to see that more
then half were labeled. Good job guys!
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
More information about the Snort-devel