[Snort-devel] DDL for snort rules in a DB

Mark Vevers mark at ...1209...
Wed Sep 25 12:23:10 EDT 2002

Hash: SHA1

On Thursday 19 Sep 2002 17:50, Kreimendahl, Chad J  wrote:

> It's been mentioned a few times very recently, and so our company would
> like to contribute a bit of data structure to the snort project.
> We've been using this structure (with other tables), to generate rules
> files for our different sensors.  The header part of it all is fairly
> unsophisticated, and the rules parts should be sufficient.  We'd love to
> offer our services to make snort load its config from a DB.
I agree that a DB based config is a valuable addition to snort - and to that 
end we have been working on a project to do just that - RuleMANager for Snort 
The web-site is a little out of date (rman.souceforge.net) - it will be 
updated later this week when I release 0.0.5a - but it allows for management 
of rules, rule groups, preprocessors and variables on multiple sensors with 
an ACID style front end and stores all this in a MySQL backend  as a set of 
extension tables for the snort db structure.  If you or your company would 
like to contribute and improve this project in any way we (the three RMAN 
developers) would love to have your contribution.

The db-structure within RMAN contains pretty much every thing you mentioned in 
your post - although I have yet to add the 'policy' layer.  We are also 
working on handling flexible-response/SnortSAM config in an intelligent way - 
depending on time this should be available in the next month.

Should the snort developers choose to specify an official rule-set db backend 
instead of the existing signature registration system (I would be more than 
happy to modify RMAN to match) then a number of other problems will have to 
be resolved - how to record pre-processor alerts which have no matching rule, 
rules which changed or get deleted - the alert packet would no longer have a 
valid reference to a rule.  Whilst not insurmountable this will require 
careful thought.


- -- 
Mark Vevers.    mark at ...1121... / mark at ...1209...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
- --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-devel mailing list