[Snort-devel] RFC - XML Rules definition question?

Chris Green cmg at ...81...
Wed Jan 9 19:44:01 EST 2002

"Gareth" <gisaac at ...239...> writes:

> Ok - I may be in the wrong place, but no-doubt someone will tell me :-)
> How would I go about proposing a change to the rule set definitions? I'll
> make my case now - please shoot me down if this is the wrong place etc.

Right place, but there is one very strong reason to not do this
> Snort currently uses a rule set that is configured as a set of flat files.
> However to externally parse and update these files means that custom code
> needs to be written to read/generate the rule sets. I know its not rocket
> science, but as there are a number of XML parsers out there already could
> that be a better option?

All your advantages would be nice but comes at the expense of having a
readable ruleset in anything but an XML editor.

One goal of 2.0 branch is to do a cleaner rules API and then interface
the official parser with that.  That would then let anyone that really
really wanted to define their rules however they wanted to ( SQL/XML

The transformations stuff you wanted to be able to do doesn't prevent
you from defining your own ruleset in XML and then doing an XSLT
transform into what is currently there.
Chris Green <cmg at ...81...>
A watched process never cores.

More information about the Snort-devel mailing list