[Snort-devel] Suggestion for unknown keywords
fknobbe at ...337...
Tue Jan 28 23:12:03 EST 2003
In light of the fact that the Snort Stable rules are outdated in CVS and
tar ball, and only the current rules are maintained well, I would like
to suggest the following:
Have Snort IGNORE unknown keywords in the Snort rules.
That way we could use the Snort 2.0 specific keywords like byte_test etc
in the Snort rules for all versions. Older version can ignore
unknown/unused keywords instead of bombing out.
The same could probably be true for unknown keywords in snort.conf.
Instead of exiting Snort, just have Snort ignore those
messed-up/unknown/unused keywords. It would be helpful if Snort were
more tolerant at parse time.
PS: I'm gonna take a look at Snort 1.9 shortly to see what it takes to
have it read Snort 2.0 rules.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel