[Snort-devel] Suggestion for unknown keywords
fknobbe at ...337...
Wed Jan 29 00:17:03 EST 2003
hmpf.... according to source, Snort IS tolerant and only issues a
warning when it encounters an unknown option in a rule.
So, that means that we should be able to use Snort 2.0 rules (with any
new keywords) on version 1.9, correct?
On Wed, 2003-01-29 at 01:02, Frank Knobbe wrote:
> In light of the fact that the Snort Stable rules are outdated in CVS and
> tar ball, and only the current rules are maintained well, I would like
> to suggest the following:
> Have Snort IGNORE unknown keywords in the Snort rules.
> That way we could use the Snort 2.0 specific keywords like byte_test etc
> in the Snort rules for all versions. Older version can ignore
> unknown/unused keywords instead of bombing out.
> The same could probably be true for unknown keywords in snort.conf.
> Instead of exiting Snort, just have Snort ignore those
> messed-up/unknown/unused keywords. It would be helpful if Snort were
> more tolerant at parse time.
> PS: I'm gonna take a look at Snort 1.9 shortly to see what it takes to
> have it read Snort 2.0 rules.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel