[Snort-devel] BNF Definitions
Roy S. Rapoport
snort-devel at ...2006...
Sun Jun 1 18:09:08 EDT 2003
I'm dealing with Sefan Dens' abstruse parsing code to parse Snort rules
into and out of a database and would like to start from scratch.
Rather than reverse-engineer what rules look like based on his code, I
obviously would rather go by what Snort says they should look like.
Ideally, I'd like to use a formal definition of Snort configuration
directives as a source so as to avoid faulty interpretation, rather than
interpret the manual. For example, there are obviously elements of a
rule config that actually go with a content definition (byte_test,
byte_jump, within, etc), while others are non-content-specific and we
should see only one (or in some cases exactly one) element of such type.
For example, sid.
The best way I can think of to do this is to start with a formal BNF
definition of Snort rules. You know, something like:
directive ::= <rule>|<include>|<var>|<config>|<ruletype>
include ::= include:<multispace><filename>
multispace ::= <space>[<multispace>]
Is there something like this documented? Or should I reverse-engineer
Snort source code?
More information about the Snort-devel