[Snort-devel] xml thoughts

Todd Lewis tlewis at ...255...
Wed Feb 7 14:48:57 EST 2001


On Wed, 7 Feb 2001, A.L.Lambert wrote:

> 	XML files induce a level of complexity that I, for one, do not
> wish to deal with.  More experienced developers/users will probably
> disagree with me on the fact that XML is _more_ complicated than formatted
> flat ASCII, but trust me, from the 'ignorant savage' point of view (which
> I consider myself to be a good represenative of), a flat ASCII file is far
> easier to work with (especially when using the hog.vim syntax highlighting
> file :)

I think that a lot of this thinking is just natural psychological
resistance to change.  The present format is easier to use not because
it is better, but just because users are familiar with it.

> 	Automated file manipulation is trivial with the current file
> format.  I myself am probably one of the most clueless programmers on the
> planet (really; I suck, trust me), and I can/have whipped up some simple
> code without too much problem to do everything from add "react:" tags to
> the appropo rules, change the "flags:" statments, snag the latest
> snort.org and vision.conf rulesets, rip out the rules that have
> historically caused an inordinate amount of false positives, combine the
> two, rip out duplicates, and other such tasks.

Sure, you can whip up scripts easily, but they break at the drop of
a hat with the present format, as does snort's parser.  Also, as is
normally the case with hand-rolled formats, it's much easier to create
the present format than it is to parse it.  Finally, the present format
is very simple not because of any great design but rather because hacking
snort's parser is so hard that it places a fundamental (and artificial)
(and very unfortunate) restriction on the complexity that can be embodied
in the rules.  This is already constraining snort development and will
do so even more as snort gets better.

> Writing the same kind of
> code for XML is an order of magnitude more complicated (at least from my
> point of view), and short of spending a lot of time improving my skills in
> this area, I would become relegated to either manually making changes, or
> hoping someone else writes a tool to accomplish what I want.

I disagree that:

  print("$rnum $src $dest\n");

is substantially easier than:

  print("<rule>$rnum</rule> <source>$src</source> <dest>$dest</dest>\n");

And I guarantee that if you take the existing format and my draft
format and give it to someone who's never used snort, that my format
is much more understandable than the existing format.  (Again, this is
not to advocate my format, which should be improved or replaced, but to
emphasize XML's advantage.)

> 	I'm not disagreeing with any of the positive points made about XML
> (from a technical perspective, they sound quite reasonable to me), just
> saying that some of us farther down the scale of talent/experience will
> not have our lives improved, and will probably have them complicated even
> more than they already are, if we convert wholesale to XML.

I agree that there will be work to do to convert.  However, especially
if snort continues to become more complicated, I don't think that your
life will be especially pleasant with the existing format.  I know that
the people who have to maintain rules.c are not going to lead pleasant
existences with the status quo.

--
Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz





More information about the Snort-devel mailing list