[Snort-devel] xml thoughts

Fyodor fygrave at ...1...
Thu Feb 8 13:14:32 EST 2001


> 
> 	And again, I'll say that from your technical standpoint as a
> developer, I think you're very right in your argument.  I'm not saying
> "you're wrong", I actually think you make a great case for what you
> propose, from a _developers_ point of view.  I'm just asking you to see
> things from the point of view of me; an end user of Snort.  To me (and
> those like me) XML config files just add complexity, and remove
> flexibility, without doing much to alter what I use snort for, and what
> snort does for me.  Cheers!
> 

IMHO we could solve it with a simple script like this:


#!/usr/bin/perl

while (<STDIN>) {
    chomp;
    next if (/^#/);
    ($action, $proto, $srcip, $srcport, $dir, $dstip, $dstport, $options) = (/(.*)\s(.*)\s(.*)\s(.*)\s(.*)\s(.*)\s(.*)\s\((.*)\)/);
    if (!$action) {
        print $_,"\n";
        next;
    }
    
    print "<rule>\n";
    print "\t<action>$action</action>\n";
    print "\t<proto>$proto</proto>\n";
    print "\t<source>\n";
    print "\t\t<address>$srcip</address>\n";
    print "\t\t<port>$srcport</port>\n";
    print "\t</source>\n";
    print "\t<destination>\n";
    print "\t\t<address>$srcip</address>\n";
    print "\t\t<port>$srcport</port>\n";
    print "\t</destination>\n";
    print "\t<options $options>\n";
    if ($dir eq "->") {
        print "\t<direction>one-way</directoon>\n";
    } else {
        print "\t<direction>bidirectional</directoon>\n";
    }
    print "</rule>\n";

    
}
.....
or something, so you would still be able to write snort rules in old format and convert them, while we could
use xml as the primary base.. sound reasonable?

Or there could be 'rules-parsing-preprocessor' too :)






More information about the Snort-devel mailing list