[Snort-devel] Proposal: New rule action, "info"
roesch at ...402...
Thu Nov 1 13:08:17 EST 2001
They aren't orthogonal, but that wasn't the way Snort was written in the
first place. Everyone should remember when critiquing Snort's design is
that I wrote it for *me* first and then the rest of the world. The
output functionality and action types were a result of my needs, and I
had two of them at the time. When a packet came in that I was
interested in keeping but that I didn't necessarily want to be notified
of, it'd get logged using the "log" action. When I had a packet that
generated an alert, I *always* wanted to log the packet and be notified
that something interesting had happened through the alert facility.
Now that things have matured some (Snort is 3 years old this month), we
have a somewhat different view of what would be nice, but due to
implementational intertia and a need to expected behavior to remain the
same, we have the current system. It's not perfect but it has the
advantage of working.
That said, we're finally ready to begin development on Snort 2.0 and I
expect to do so starting in December. Snort 2.0 will be a lot cleaner
than the current design, and when it's ready I think people will be
happy with the overall level of flexibility and power offered by the
second generation of the system.
Matthew Callaway wrote:
> Well, along those lines, do you consider the current "alert" and "log"
> actions to be orthogonal? It seems to me that "alert" should
> do alerts and "log" should do logs. If you want both, specify both, if
> you only want one or the other, this would allow it. Right now, you
> can't do this (unless I'm missing something, which is entirely
> On Thu, 1 Nov 2001 tlewis at ...255... wrote:
> > I think that having this behavior coded into snort the way that it is
> > is silly. You should present people with a set of orthogonal options
> > and then let them decide which ones they want. Having a name for each
> > potential combination of actions is the wrong way.
> > That having been said, it is the snort way, so in that context it
> > might be the right thing here.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel