[Snort-devel] a doozie of a metaphysical question

tlewis at ...255... tlewis at ...255...
Wed Jun 13 00:24:56 EDT 2001

On Wed, 13 Jun 2001, Martin Roesch wrote:

> tlewis at ...255... wrote:
> > I do not believe that there exists an answer to this question.  I believe
> > that the best that we can do is to leave to the NIDS administrator a means
> > of mapping certain traffic characteristics (port, address, interface)
> > to protocol decomposition targets.  I would love for someone to explain
> > to me why I a wrong.
> You're exactly right, but hand edited tables of application->port
> mappings isn't going to work, you need to automate the process.

Absolutely.  With xml-based interfaces, the distinction between manual
and automated processes blurs.  With libxml already DTD-validating my
config files for me, I no longer have any fear of death.  8^)

I have been holding out hope that, in addition to the regular config
file interface, a next-gen NIDS could read in transaction files at run
time to perform tasks like update the protocol decomposition mapping as
well as add new IDS rules, all without restarting.  No promises, but
I'll see what I can do.

Todd Lewis
tlewis at ...255...

More information about the Snort-devel mailing list