[Snort-devel] Suggestion for unknown keywords

Frank Knobbe fknobbe at ...337...
Wed Jan 29 00:17:03 EST 2003


hmpf.... according to source, Snort IS tolerant and only issues a
warning when it encounters an unknown option in a rule.

So, that means that we should be able to use Snort 2.0 rules (with any
new keywords) on version 1.9, correct?


Frank


On Wed, 2003-01-29 at 01:02, Frank Knobbe wrote:
> In light of the fact that the Snort Stable rules are outdated in CVS and
> tar ball, and only the current rules are maintained well, I would like
> to suggest the following:
> 
> Have Snort IGNORE unknown keywords in the Snort rules.
> 
> That way we could use the Snort 2.0 specific keywords like byte_test etc
> in the Snort rules for all versions. Older version can ignore
> unknown/unused keywords instead of bombing out.
> 
> The same could probably be true for unknown keywords in snort.conf.
> Instead of exiting Snort, just have Snort ignore those
> messed-up/unknown/unused keywords. It would be helpful if Snort were
> more tolerant at parse time.
> 
> Regards,
> Frank
> 
> PS: I'm gonna take a look at Snort 1.9 shortly to see what it takes to
> have it read Snort 2.0 rules.
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030129/16f59eab/attachment.sig>


More information about the Snort-devel mailing list