[Snort-devel] rules2sql.pl and sql2rules.pl

Nick Seidenman nicks at ...257...
Wed Feb 7 10:32:36 EST 2001

On Wed, 7 Feb 2001, Martin Roesch wrote:

> Well, let's think about this for a second.  The current Snort rules
> language has a number of benefits.  It's easy to understand, it's
> flexible, it's fast and efficient to write.  It's also becoming
> something of a defacto standard for describing packet based intrusion
> data on the wire.  If we go to XML what's a typical rule going to look
> like?  Is it going to be easy for non-XML proficient people to
> understand?  Is it going to take me half a day to teach the syntax of
> the language at SANS conferences?  Are we going to end up having one
> rule per file or gigantic rules files?  There may be many upsides to
> reimplementing the Snort rules language in XML, but there are also a
> number of potential pitfalls that we want to be aware of. 

It's going to take more than half a day, I suspect.  OTOH, it seems
plausible that creating graphical snort configuration interfaces would be
much simpler and far more compatible with one another.  Moreover, it
shouldn't be all that hard to come up with a translator (snort rules ->

> Let's not launch into this prematurely....

Of course.  But XML isn't exactly a flash-in-the-pan.  A future in which
data -- configuration, input, or output -- are structured with XML is
worth serious consideration.

 Nick Seidenman, CISSP      
 Senior Security Consultant
 Hyperon, Inc.           

More information about the Snort-devel mailing list