[Snort-devel] a tale of three languages

Todd Lewis tlewis at ...255...
Mon Apr 9 07:56:12 EDT 2001


Ok, no matter what form the implementation takes, need to be able to
express somehow at least three different things:

1. Protocol description.  What are the protocol fields?  What are their
   names?  Where do they lie?  How do operations on them work?
2. Protocol decomposition.  Which TCP traffic gets mapped to http?
3. Matching rules.  What criteria determine a match?

These things are very related.  E.g., your rule for protocol decomposition
will often look very much like a matching rule, to wit:

	WHERE () 
		MAP (tcp, 80) http EXCEPT
	WHERE ((ip-src < 192.168.16.0/24 ) || (ip-dst < 192.168.16.0/24 )) 
		MAP (tcp, 80) https

Even #1 needs an actual language, as opposed to being a static declaration
of protocol structure, because you will have variable protocol elements,
like IPv4 options or OSPF link state advertisements or DNS resource
records, and so your protocol definitions will start to look like rules
in some cases as well.

The existence of these similarities makes me think that there is a way
to unify these at some level.  I don't know what that is, but I'm a
smart guy with a lot of free time on my hands, and so I am hopeful that
something will turn up.  If anyone wants to try to help the process along
by offering commentary, then your assistance would be very appreciated.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list