[Snort-devel] BNF Definitions

Roy S. Rapoport snort-devel at ...2006...
Sun Jun 1 18:09:08 EDT 2003


Howdy ho, 

I'm dealing with Sefan Dens' abstruse parsing code to parse Snort rules
into and out of a database and would like to start from scratch.

Rather than reverse-engineer what rules look like based on his code, I
obviously would rather go by what Snort says they should look like.
Ideally, I'd like to use a formal definition of Snort configuration
directives as a source so as to avoid faulty interpretation, rather than
interpret the manual.  For example, there are obviously elements of a
rule config that actually go with a content definition (byte_test,
byte_jump, within, etc), while others are non-content-specific and we
should see only one (or in some cases exactly one) element of such type.
For example, sid.

The best way I can think of to do this is to start with a formal BNF
definition of Snort rules.  You know, something like:
directive  ::= <rule>|<include>|<var>|<config>|<ruletype>
include    ::= include:<multispace><filename>
multispace ::= <space>[<multispace>]
etc...

Is there something like this documented? Or should I reverse-engineer
Snort source code?

-roy




More information about the Snort-devel mailing list