[Snort-devel] DDL for snort rules in a DB

Mark Vevers mark at ...1209...
Wed Sep 25 12:23:12 EDT 2002

Hash: SHA1

On Thursday 19 Sep 2002 17:50, Kreimendahl, Chad J  wrote:
> It's been mentioned a few times very recently, and so our company would
> like to contribute a bit of data structure to the snort project.
> We've been using this structure (with other tables), to generate rules
> files for our different sensors.  The header part of it all is fairly
> unsophisticated, and the rules parts should be sufficient.  We'd love to
> offer our services to make snort load its config from a DB.

I agree that a DB based config is a valuable addition to snort - and to that
end we have been working on a project to do just that - RuleMANager for Snort
The web-site is a little out of date (rman.souceforge.net) - it will be
updated later this week when I release 0.0.5a - but it allows for management
of rules, rule groups, preprocessors and variables on multiple sensors with
an ACID style front end and stores all this in a MySQL backend  as a set of
extension tables for the snort db structure.  If you or your company would
like to contribute and improve this project in any way we (the three RMAN
developers) would love to have your contribution.

The db-structure within RMAN contains pretty much every thing you mentioned
 in your post - although I have yet to add the 'policy' layer.  We are also
 working on handling flexible-response/SnortSAM config in an intelligent way
 - depending on time this should be available in the next month.

Should the snort developers choose to specify an official rule-set db backend
instead of the existing signature registration system (I would be more than
happy to modify RMAN to match) then a number of other problems will have to
be resolved - how to record pre-processor alerts which have no matching rule,
rules which changed or get deleted - the alert packet would no longer have a
valid reference to a rule.  Whilst not insurmountable this will require
careful thought.


- - --
Mark Vevers.    mark at ...1121... / mark at ...1209...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
- - --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-devel mailing list