[Snort-devel] an indictment of my protocol engine proposal

Todd Lewis tlewis at ...255...
Tue May 8 15:21:28 EDT 2001


On Tue, 10 Apr 2001, Fyodor wrote:

> > An alternative that springs to mind would be to write a language for
> > protocol description.  The idea of decomposing successive protocol
> > layers would still apply, but it would be done by an engine that has been
> > primed by the protocol descriptions.  Adding support for a new protocol
> > would consist of writing a protocol description for it and passing the
> > description into snort.
> 
> Sounds a way complicated to me. I read a couple of papers on
> protocol-desciptive languages and most of them sound like high-math sci theory
> rather than something practical that we could apply.. The best approach which
> could be taken is something similar to current tcpdump code, where you could
> match packet offsets/transport protocols/parameters. By adding some kind of event
> table to this model we could get something useful, but it sounds a way huge to be
> implemented to me.

I am going full-steam ahead with my original protocol engine proposal.  However,
I've stumbled across a protocol language that might be interesting to us in some
capacity.  It's called prolac.  It's very immature.  It's very C-like.  I don't
understand it very deeply.  Still, it looks cool.  Interested parties may want
to check it out:

http://www.pdos.lcs.mit.edu/prolac/

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list