[Snort-devel] xml format samples

Todd Lewis tlewis at ...255...
Wed Feb 7 11:00:45 EST 2001


Guys,

Here are some samples of what an XMLified rule file might look like:

First, what the rule looks like in snort right now:
********************************************************************
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows";
	content:"|88042020202020202020202020202020|";itype:8;depth:32;)
********************************************************************

Ok, so here's a first stab at making the format as complete as possible:

********************************************************************
<alert>
	<proto>icmp</proto>
	<source>
		<network>
			<addr>192.168.16.0</addr>
			<mask>16</mask>
		</network>
		<port>any<port>
	</source>
	<destination>
		<network>
			<addr>0.0.0.0</addr>
			<mask>0</mask>
		</network>
		<port>any<port>
	</destination>
	<options>
		<message>IDS166 - PING Seer Windows</message>
		<bcontent>88042020202020202020202020202020</bcontent>
		<itype>8</itype>
		<depth>32</depth>
	</options>
</alert>
********************************************************************

Pretty verbose, right?  Here's the same thing, in slightly more compact
form:

********************************************************************
<alert>
  <proto>icmp</proto>
  <src><net><addr>192.168.16.0</addr><mask>16</mask></net><port>any<port></src>
  <dst><net><addr>0.0.0.0</addr><mask>0</mask></net><port>any<port></dst>
  <options>
    <msg>IDS166 - PING Seer Windows</msg>
    <bcontent>88042020202020202020202020202020</bcontent>
    <itype>8</itype>
    <depth>32</depth>
  </options>
</alert>
********************************************************************

And here it is again with the network piece even more compacted:

********************************************************************
<alert>
  <proto>icmp</proto>
  <src addr="192.168.16.0" mask="16" port="any"/>
  <dst addr="0.0.0.0" mask="0" port="any"/>
  <options>
    <msg>IDS166 - PING Seer Windows</msg>
    <bcontent>88042020202020202020202020202020</bcontent>
    <itype>8</itype>
    <depth>32</depth>
  </options>
</alert>
********************************************************************

And finally, here's the same thing, with ports broken away from networks,
which grows the size again a little, but which should be done anyway:

********************************************************************
<alert>
  <proto>icmp</proto>
  <src><net addr="192.168.16.0" mask="16"/><port low="512" high="1024"/></src>
  <dst><net addr="0.0.0.0" mask="0"/><port low="512" high="1024"/></dst>
  <options>
    <msg>IDS166 - PING Seer Windows</msg>
    <bcontent>88042020202020202020202020202020</bcontent>
    <itype>8</itype>
    <depth>32</depth>
    <verdict>deny</verdict> <comment>Heh, heh</comment>
  </options>
</alert>
********************************************************************

I personally would put a bunch of these in a single file, but the layout
is irrelevant from the point of view of snort - the user can organize
the rules however he wants and then use XML's include capabilities to
pull it all together before it's presented to us.

Q: Is this more verbose than the v1 snort rule?  

A: Yes.  However, to someone who has not recently read the snort rule
making guide, it is also extremely more understandable; in fact, to
someone who's even vaguely familiar with networking, this is practically
self-documenting.

As for whether this is harder to use than the existing format, etc.,
I will save that for another message discussing the merits of XML as
a format.

Finally, here's another benefit: configuring modular components.
Here's a draft of what paengine configuration might look like with an
xml config file.  (Remember that this is disgusting not because it has
to be but because I don't actually know how XML does this stuff.)

********************************************************************
<paengine>
  <driver name="divert"/>
  <xml-namespace-import-or-whatever dtd="divert-config.dtd" useas="divert"/>
  <divert:port>4120</divert:port>
  <divert:max-queue-len-in-bytes>32768</divert:max-queue-len-in-bytes>
  <xml-namespace-discard-or-whatever>divert</xml-namespace-discard-or-whatever>
</paengine>
********************************************************************

Here's another one:

********************************************************************
<paengine>
  <driver name="pcap"/>
  <xml-namespace-import dtd="pcap-config.dtd" useas="pcap"/>
  <pcap:intname>eth0</pcap:intname>
  <pcap:intname>eth1</pcap:intname>
  <pcap:queueconfig>
    <type>pool-buffer</type>
    <size>32768</size>
  </pcap:queueconfig>
  <xml-namespace-discard useas="pcap"/>
</paengine>
********************************************************************

The excellent part is that each driver can define its own xml format for
its section, and XML's namespace feature allows it to be used.  Hell,
without any real knowledge at all of what the paengine's requirements are,
snort can pass the (arbitrarily complex) XML elements into the paengine
after actually *validating* the config based on the paengine's XML DTD.
Try doing that with a home-grown parser!

There are a bunch of other wins like this one that I'll try to enumerate
in my next message.

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz





More information about the Snort-devel mailing list