[Snort-devel] a caveat to my rule system proposal

Todd Lewis tlewis at ...255...
Fri Apr 6 01:17:56 EDT 2001

It's been two days and I'm still waiting for feedback on my proposal for
revising the rule system.  I know that it was a very lengthy proposal,
and so I'll wait a few more days before starting to cry and complain
that no one loves me or pays any attention to my ideas.  (sniff, sniff...)

In answering some very good questions about my proposal from Dr. Markus
DeShon, the nuclear physicist and Very Smart Man at SecureWorks who
maintains their snort rule set, I started thinking that having the
protocol engines responsible for the protocol mapping of their payloads
may not be the best way.  Instead, users may want to specify protocol
mappings with multi-layered criteria, much the same way that they
specify rules.  (Think of something like this:

	map-protocol ((ip src= && (tcp sport=80)) http
	map-protocol ((ip src= && (tcp sport=80)) IPSEC

For this reason, I think perhaps the matcher should handle determining
which protocol engine should receive the dispatch at each stage
of decomposition.  However, I had been hoping to keep all rules as
an unordered set in order to benefit matching optimization, and the
protocol mapping, unlike ordinary rules, needs either ordering or some
other mechanism for prioritizing protocol associations, since only
one can apply.

Whatever happens, protocols would probably receive a global id, and the
(family, pnumber) tuple would be a device to aid in the transition
across protocol layers, being a major criterion in determining the
protocol mapping, but not being the mapping itself, as it is in my
current proposal.  Or maybe for this version it will boil down to being
the mapping with a simple exception list, in order to get this idea out
the door.  Right now I am not sure.

Anyway, I'm continuing to chew the matter over.  It will certainly
receive more attention and will almost certainly be different in the
next revision of my proposal.  However, that revision won't happen until
I get at least some feedback on the proposal in its current form that
indicates that someone other than me thinks the idea is interesting and
is worth pursuing.

Todd Lewis
tlewis at ...255...

More information about the Snort-devel mailing list