[Snort-devel] rules2sql.pl and sql2rules.pl

Chris Green cmg at ...81...
Wed Feb 7 15:49:35 EST 2001


> 
> It's going to take more than half a day, I suspect.  OTOH, it seems
> plausible that creating graphical snort configuration interfaces would be
> much simpler and far more compatible with one another.  Moreover, it
> shouldn't be all that hard to come up with a translator (snort rules ->
> XML).

The current snort language is very easy to write a non error
correcting parser for.  It took about a day to write it in perl that
isn't thought out at all.

It would be nice to make a BNF for it though and have a generic
tokenizer for snort language.  I could look at doing this on the
weekend if there's the interest.

The only nasty things with the snort language right now to me is:

1 ) lines must all be on 1 line.
2 ) it would be nice to have paren groupings for content rules and
    associated options
3 ) rule options are all specific to a plugin meaning that if a new
flag is added or a new rules option is added, each plugin then has to
add it's parsing support.   ( this is pretty hard to solve to me -
maybe people with more parsing exp can shed light  )
4 ) it's not always clear why the parser breaks in snort. I've heard
from some sources that writing a compiler is 75% error messages
-- 
Chris Green <cmg at ...81...>
Let not the sands of time get in your lunch.




More information about the Snort-devel mailing list