[Snort-devel] RFC - XML Rules definition question?

tlewis at ...255... tlewis at ...255...
Wed Jan 9 21:34:03 EST 2002


On Wed, 9 Jan 2002, Andrew R. Baker wrote:

> This has been discussed before.  The consensus then was (and I don't
> think that it has changed) that an XML based rules language will make
> writing and reading rules rely entirely on external applications.  I
> will no longer be able to write a new rule by just opening up the rules
> file with vi.  

With all due respect, this reasoning is wrong.  I can compose hank rules
by hand just fine.  Which one is more obvious:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8;)

or:

<rule>
   <report>ICMP PING NMAP</report>
   <match>
      <AND>
         <PRIM proto="icmp" field="payload" op="=">4</PRIM>
         <PRIM proto="icmp" field="type" op="=">8</PRIM>
         <PRIM proto="icmp" field="content" op="=">0</PRIM>
      </AND>
   </match>
</rule>

Sure, the second one is longer, but it is definitely hand-editable in
addition to being much more flexible (hank has "OR" and "NOT" in addition
to "AND", and they are arbitrarily-combinable.)

> The current rules language is designed to rules to be easily understood
> and written.

The current rules language was barely designed at all and is neither
easy t understand nor easy to wriet.  The underlying code is a mess,
and resistance to change is the only real reason I can see that it is
still around.

--
Todd Lewis
tlewis at ...255...

Q: How many marxists does it take to screw in a lightbulb?
A: None - the bulb contains the seeds of its own revolution. 





More information about the Snort-devel mailing list