[Snort-devel] rules2sql.pl and sql2rules.pl
cmg at ...81...
Wed Feb 7 15:49:35 EST 2001
> It's going to take more than half a day, I suspect. OTOH, it seems
> plausible that creating graphical snort configuration interfaces would be
> much simpler and far more compatible with one another. Moreover, it
> shouldn't be all that hard to come up with a translator (snort rules ->
The current snort language is very easy to write a non error
correcting parser for. It took about a day to write it in perl that
isn't thought out at all.
It would be nice to make a BNF for it though and have a generic
tokenizer for snort language. I could look at doing this on the
weekend if there's the interest.
The only nasty things with the snort language right now to me is:
1 ) lines must all be on 1 line.
2 ) it would be nice to have paren groupings for content rules and
3 ) rule options are all specific to a plugin meaning that if a new
flag is added or a new rules option is added, each plugin then has to
add it's parsing support. ( this is pretty hard to solve to me -
maybe people with more parsing exp can shed light )
4 ) it's not always clear why the parser breaks in snort. I've heard
from some sources that writing a compiler is 75% error messages
Chris Green <cmg at ...81...>
Let not the sands of time get in your lunch.
More information about the Snort-devel