[Snort-devel] xml thoughts

Michael Davis mike at ...27...
Wed Feb 7 20:51:31 EST 2001

Hash: SHA1

I personally love the idea of using XML.

Any opensource WIN32 XML parsers? If not I have to port one, hehe ;)

Michael Davis
Chief Technical Officer
Data Nerds, LLC.
- ----- Original Message ----- 
From: "Todd Lewis" <tlewis at ...255...>
To: "Snort Developers List" <snort-devel at lists.sourceforge.net>
Sent: Wednesday, February 07, 2001 10:42 AM
Subject: [Snort-devel] xml thoughts

> Some random ideas in support of XML.
> 1) As I mentioned in my previous message, for modular systems like
> the paengine, snort can have rich config file support for the
> modules in an extensible way, with no knowledge required in snort's
> core, using XML's namespace system.  This could also be applicable,
> e.g., to such plugins as logging systems, adaptive response engines
> (i.e., adaptive controllers for snort's newfound GIDS
> functionality), etc.  Marty, if you ever want your dream to come
> true of snort being 100 lines of code with 100,000 lines of
> plugins, then this is a great way to help.
> 2) It is much easier to modify the form of the config file with XML
> than with the present format because items' meaning is explicit via
> tags rather than implicit via position.  Just come up with a new
> tag name for the new format and include handlers for both the old
> and new tags in your XML receiver in snort.  Bang, easy upwards
> compatibility. Contrast this with the fact that format changes
> today are either totally incompatible or really gross (like
> multiple network support, with either Marty's or my syntax.)
> 2a) The present syntax is very creepable.  It's easy to modify the
> parser in such a way that the files become subtlely incompatible
> and not even realize that you're doing it.  XML is a formalized
> document system riding SGML's decades of work in building
> structured documents with unambiguous meaning.
> 3) XML is validatable.  Contrast this with the present "Snort
> segfaulted; I wonder if I have a syntax error?" technique of config
> file validation.  
> 4) It is hyper-easy to write programs to generate these XML files.
> Perl, python, java, C, Visual Basic, ECMA script, PHP, every
> language known to man and then some have XML suppport.  Ergo, it's
> very easy to write GUI tools, web interfaces, automatic converters
> or anything else you want to generate a rule file.  Contrast this
> with how hard it would be to generate config files for the present
> format and be able to rely on their correctness.
> 5) Think of all of the little features that XML has that a
> home-grown format will never support.  Namespaces is the classic
> example here of how jumping on the bandwagon will take us a lot
> farther than we'll walk on our own.  As snort evolves, our needs
> for a config file are going to become a lot more demanding. 
> Whatever our needs are, though, I can promise that we'll never be
> in the front ranks of demanding XML users; we can just ride the
> wave with already-developed solutions to our problems. Sticking
> with the present format means both a lot of work in the future and
> a lot of cramping of new ideas because no one wants to code up
> config file support for it.
> 6) It'd be super easy to display rule files in XML.  Just whip up a
> style sheet and throw it into mozilla.  8^)
> 7) Managing XML is doable.  Viz. all of the XML database
> integration that's happening today.  For people like SecureWorks
> who have to manage rule files in a rigorous way, XML's
> databasificationability is a real win.  (That's the best neologism
> I've come up with in a while!)
> --
> Todd Lewis                                      
> tlewis at ...120...  
>   God grant me the courage not to give up what I think is right,
> even 
>   though I think it is hopeless.          - Admiral Chester W.
> Nimitz  
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>


More information about the Snort-devel mailing list