[Snort-devel] Snort 1.7 SegFaults Reading a Bad Rule File
tlewis at ...255...
Wed Feb 7 10:11:22 EST 2001
On Wed, 7 Feb 2001, Martin Roesch wrote:
> See my other message. Lets not rush into this, we need to approach
> changing the entire rules language very carefully...
I agree with Marty. If people are serious about this, then I suggest
that we should do several things.
1) Start posting examples of what the files would look like, hopefully
starting a discussion that lasts until we reach a format that everyone
could be happt with.
2) Implement a prototype handler. This would allow everyone to get
a feel for how we would do it inside of snort. This would also allow
alternate implementation paths, if any (e.g., SAX v DOM or whatever)
to compete with each other so that we can discover which one is best.
3) We should agree on a transition plan. Will the old and new parsers
coexist? (Hopefully not.) Will the translator from the old format be
external or built-in?
> After thinking for a while.. :) shall we maybe stick with xml as well
> in snort 2.x implementation? (and just code up snort1x->snort2x rules
This is great that people are thinking in this direction. Tell you
what, I will draft up a sample rule file in XML and post it shortly
to get the ball rolling. DISCLAIMER: it will probably suck, since
there's a lot I don't know about XML, so let's withold judgment until
all candidates are in.
Todd Lewis tlewis at ...120...
God grant me the courage not to give up what I think is right, even
though I think it is hopeless. - Admiral Chester W. Nimitz
More information about the Snort-devel