[Snort-devel] xml thoughts

Martin Roesch roesch at ...48...
Sat Feb 10 23:33:34 EST 2001


Ok guys, I have a couple quick comments on this one for the moment (I'm
short on time this evening).

A) The Snort rules language will always be loadable by Snort.

B) The Snort rules language parser is in need of some serious
rethinking/recoding, and I intend to tackle that problem when we get
going on the 2.0 code.

C) XML and database rules loading are great options to have for people
who like such things (and people trying to manage a lot of Snort sensors
across an enterprise) and so we're going to implement options to be able
to load configuration data from those sources one of these days.  When
we do add this capability, it will be in the form of plugins
(Parser/config plugins) so that we remain as flexible as possible.

D) I've got to teach the rules language that Snort uses to people in
class rooms, so I'm going to go with the most readable format (i.e. the
current one) as the default system for the foreseeable future.  I feel
strongly that the language as it's written is fairly straight forward
and easy to wrap the brain around, so we're going to be sticking with it
until something clearly better for everyone comes along (probably
forever).

E) XML and database loading are really nice features in a number of
situations, so we should support them as well.  I think that with some
intelligent planning and coding, we can make everyone pretty happy with
this issue.

    -Marty

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list