[Snort-devel] xml format samples
Brian Caswell
bmc at ...227...
Wed Feb 7 08:45:28 EST 2001
Todd Lewis wrote:
> <alert>
> <proto>icmp</proto>
<snip source & destination>
> <options>
> <message>IDS166 - PING Seer Windows</message>
> <bcontent>88042020202020202020202020202020</bcontent>
> <itype>8</itype>
> <depth>32</depth>
> </options>
> </alert>
Yes, but where are you going to store ICMP options? Shouldn't that be
stored in the protocol section? Makes more sense from the user
standpoint.
I agree that it would be nice to validate XML just by comparing it
against a DTD, but XML will cut down on the readability. You showed
multiple methods of showing the same rule with the same options.
Unless you understand XML, that concept isn't that easy to grasp.
--
Brian Caswell
The MITRE Corporation
More information about the Snort-devel
mailing list