[Snort-devel] Reference information in rules

Joe McAlerney joey at ...63...
Mon Oct 16 14:12:03 EDT 2000


Martin Roesch wrote:
> 
> Joe McAlerney wrote:
> >
> > Secondly, if we had some reference variable array in the OTN, all the
> > little plugins would have access to it.  I imagine people would want
> > this information.  It would certainly be easier then parsing the msg,
> > and much more reliable as well.  The problem here, is introducing an
> > array of (possibly lengthy) char *'s in the OTN.  It could always be an
> > option at configure time to use it.  I did something similar with the
> > IDMEF XML plugin I am wrapping up, and it seems to work seamless and
> > well.
> 
> I'm not quite sure what this buys us specifically here, can you clear it up
> for me?
> 

Originally I was thinking of adding a "char *reference" to an OTN, which
could be accessed by the plugins via otn_tmp - similar to msg.  Then I
realized that there can be multiple identification numbers, or
references, per rule.  We would need a list.  This would work well for
some of the ArachNIDS rules that already have CVE and IDS numbers.

> > What are your thoughts on this?  I don't think it would take to long to
> > put together, and I would be willing to do so if people wanted.  Maybe
> > it will inspire someone to start putting one ID or another on all the
> > snort.org rules.  NOTE: my hand is not raised.
> 
> Good idea, but we've got to resolve how all this fits in with the arachNIDS
> data, which has its own numbering scheme.  Max?

I wasn't actually proposing that snort.org start it's own numbering
scheme, but rather continue it's efforts in matching up existing ID
numbers to the rules.  This is obviously a non-trivial and time
consuming process, because there are still around 672 rules out of 1230
without ID's (or so my script tells me).  I was happy to see that more
then half were labeled.  Good job guys!

-Joe M.

-- 
+--                              --+
| Joe McAlerney, Silicon Defense   |
| http://www.silicondefense.com/   |
+--                              --+



More information about the Snort-devel mailing list