[Snort-devel] rules2sql.pl and sql2rules.pl
rpompon at ...243...
Wed Jan 31 18:07:28 EST 2001
Funny you should mention it. I'm tinkering around with that vary thang.
I've got a rough DTD for Snort rules laid out in XML schema right now.
>| XML is ok, but I want to remain backwards compatible. Basically I'm
>| talking about having rules parser plugins (groan).
>With backward compatibility, do you mean that the plugin should be able
>to read the rules in both format (XML and the current)?
>Based on a model one of my coworkers have made (for describing IDS rules
>in general), I tried to make an example of XML rule for snort (mostly to
>better understand it myself):
> <title>SYN FIN Scan</title>
> A TCP probe was sent with the SYN+FIN flags set in the header.
> This traffic does not occur naturally and indicates an intentional
> probe, likely as a part of single-packet OS detection.
> <name>Marty Roesch </name>
> <e-mail>roesch at ...16... </e-mail>
> <flags syn fin>
> <facility>snort 1.7</facility>
>What I realy would like to see, is a definition of the elements in a
>snort rule (something like a DTD).
>| By the time I get done, Snort's going to be about 100 lines of code with
>| 60000 lines of plugins. :)
>That's probably why we like snort so much -- it makes it _possible_ for
>us to scratch our own itch. :-)
>"I hate the term 'user-friendly'. People balk if they have to learn a
>different way of doing something." -- Douglas Engelbart
More information about the Snort-devel