[Snort-devel] Snort 1.7 SegFaults Reading a Bad Rule File

Todd Lewis tlewis at ...255...
Wed Feb 7 10:11:22 EST 2001


On Wed, 7 Feb 2001, Martin Roesch wrote:

> See my other message.  Lets not rush into this, we need to approach
> changing the entire rules language very carefully...

I agree with Marty.  If people are serious about this, then I suggest
that we should do several things.

1) Start posting examples of what the files would look like, hopefully
starting a discussion that lasts until we reach a format that everyone
could be happt with.

2) Implement a prototype handler.  This would allow everyone to get
a feel for how we would do it inside of snort.  This would also allow
alternate implementation paths, if any (e.g., SAX v DOM or whatever)
to compete with each other so that we can discover which one is best.

3) We should agree on a transition plan.  Will the old and new parsers
coexist?  (Hopefully not.)  Will the translator from the old format be
external or built-in?

Fyodor wrote:

> After thinking for a while.. :) shall we maybe stick with xml as well
> in snort 2.x implementation? (and just code up snort1x->snort2x rules
> converter).

This is great that people are thinking in this direction.  Tell you
what, I will draft up a sample rule file in XML and post it shortly
to get the ball rolling.  DISCLAIMER: it will probably suck, since
there's a lot I don't know about XML, so let's withold judgment until
all candidates are in.

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz





More information about the Snort-devel mailing list