[Snort-devel] Suggestion for unknown keywords

Frank Knobbe fknobbe at ...337...
Tue Jan 28 23:12:03 EST 2003

In light of the fact that the Snort Stable rules are outdated in CVS and
tar ball, and only the current rules are maintained well, I would like
to suggest the following:

Have Snort IGNORE unknown keywords in the Snort rules.

That way we could use the Snort 2.0 specific keywords like byte_test etc
in the Snort rules for all versions. Older version can ignore
unknown/unused keywords instead of bombing out.

The same could probably be true for unknown keywords in snort.conf.
Instead of exiting Snort, just have Snort ignore those
messed-up/unknown/unused keywords. It would be helpful if Snort were
more tolerant at parse time.


PS: I'm gonna take a look at Snort 1.9 shortly to see what it takes to
have it read Snort 2.0 rules.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030128/70a2d949/attachment.sig>

More information about the Snort-devel mailing list