[Snort-devel] rules2sql.pl and sql2rules.pl

Mike Andersen mike.andersen at ...139...
Wed Jan 31 04:21:48 EST 2001


[Martin Roesch]
|
| XML is ok, but I want to remain backwards compatible.  Basically I'm
| talking about having rules parser plugins (groan).  

With backward compatibility, do you mean that the plugin should be able
to read the rules in both format (XML and the current)?

Based on a model one of my coworkers have made (for describing IDS rules
in general), I tried to make an example of XML rule for snort (mostly to
better understand it myself):

<rule>
  <header>
    <id>
      <ids>IDS198</ids>
    </id>
    <title>SYN FIN Scan</title>
    <serialnumber>2001011501</serialnumber>
    <comments>
      A TCP probe was sent with the SYN+FIN flags set in the header. 
      This traffic does not occur naturally and indicates an intentional
      probe, likely as a part of single-packet OS detection.
    </comments>
    <origin>http://www.whitehats.com/info/IDS198</origin>
    <author>
      <name>Marty Roesch </name>
      <e-mail>roesch at ...16... </e-mail>
    </author>
  </header>
  <logic>
    <and>
      <protocol>tcp</protocol>
      <source>
        <address>&EXTERNAL;</address>
        <port>any</port>
      </source>
      <destination>
        <address>&INTERNAL;</address>
        <port>any</port>
      </destination>
      <flags syn fin>
      <direction>inbound</direction>
    </and>
  </logic>
  <handling>
    <facility>snort 1.7</facility>
    <severity>low</severity>
  </handling>
</rule>

What I realy would like to see, is a definition of the elements in a
snort rule (something like a DTD).

| By the time I get done, Snort's going to be about 100 lines of code with
| 60000 lines of plugins. :)

That's probably why we like snort so much -- it makes it _possible_ for
us to scratch our own itch. :-)


mike
-- 
"I hate the term 'user-friendly'. People balk if they have to learn a 
different way of doing something."               -- Douglas Engelbart





More information about the Snort-devel mailing list