[Snort-devel] rules2sql.pl and sql2rules.pl

Martin Roesch roesch at ...48...
Wed Feb 7 02:53:50 EST 2001


Well, let's think about this for a second.  The current Snort rules
language has a number of benefits.  It's easy to understand, it's
flexible, it's fast and efficient to write.  It's also becoming
something of a defacto standard for describing packet based intrusion
data on the wire.  If we go to XML what's a typical rule going to look
like?  Is it going to be easy for non-XML proficient people to
understand?  Is it going to take me half a day to teach the syntax of
the language at SANS conferences?  Are we going to end up having one
rule per file or gigantic rules files?  There may be many upsides to
reimplementing the Snort rules language in XML, but there are also a
number of potential pitfalls that we want to be aware of. 

Let's not launch into this prematurely....


   -Marty

Fyodor wrote:
> 
> On Mon, Jan 29, 2001 at 11:41:03AM -0500, Martin Roesch wrote:
> > XML is ok, but I want to remain backwards compatible.  Basically I'm
> > talking about having rules parser plugins (groan).
> 
> for snort2.0:
>     spin_oldsnort2xml_rules_preproc.c ? :-P
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list