[Snort-devel] xml thoughts

Fyodor fygrave at ...1...
Thu Feb 8 11:54:40 EST 2001

On Wed, Feb 07, 2001 at 02:48:57PM -0500, Todd Lewis wrote:
> On Wed, 7 Feb 2001, A.L.Lambert wrote:
> > 	XML files induce a level of complexity that I, for one, do not
> > wish to deal with.  More experienced developers/users will probably
> > disagree with me on the fact that XML is _more_ complicated than formatted
> > flat ASCII, but trust me, from the 'ignorant savage' point of view (which
> > I consider myself to be a good represenative of), a flat ASCII file is far
> > easier to work with (especially when using the hog.vim syntax highlighting
> > file :)
> I think that a lot of this thinking is just natural psychological
> resistance to change.  The present format is easier to use not because
> it is better, but just because users are familiar with it.

Right ;). Frankly speaking I'd stick up with XML as well. I remember earlier
days when I had to grasp a concept of html, and first weeks it was 'aii.. what
a crap', but then you just get so familiar with that so you don't really notice
whether you write html or just a plain text. I believe xml for snort is the same thing..
moving on to that should be hard, but once it become a common format for snort rules
it would be easy.. other couple of points, current snort rules grammar definetely needs some
extenstions and elaborations, and the point is: is there any reason to invoke yet-another-one
grammar structure, when we could adopt something that is existant?

> > format.  I myself am probably one of the most clueless programmers on the
> > planet (really; I suck, trust me), and I can/have whipped up some simple
> > code without too much problem to do everything from add "react:" tags to
> > the appropo rules, change the "flags:" statments, snag the latest
> > snort.org and vision.conf rulesets, rip out the rules that have
> > historically caused an inordinate amount of false positives, combine the
> > two, rip out duplicates, and other such tasks.
> Sure, you can whip up scripts easily, but they break at the drop of

one of the points why it's easy (imho) is because current grammar in rules
is position oriented, it is easy to write parsers/scripts for that, but it is
sort of painful to detect errors within snort itself, (that is probably also
the reason why we have coredumps sometimes at all weird places there if rules
are written with some 'grammatical' mistakes)

just my $.02 :)
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list