[Snort-devel] New feature wanted - rules-order-dump

Martin Olsson elof at ...969...
Tue May 27 05:51:05 EDT 2003


It would be nice if there was a switch to snort that told it to dump an
ASCII-representation of the rules order and chains. Maybe it could be a
sub-option to the -T switch?

It doesn't have to be very advanced. Just print a line with the RTN
followed by a long list of all the sids in its chain, then the next RTN
followed by its sids...

Example:
snort -c snort.conf -l /var/snort -T dump-rules-order
...blah...
...blah...
1195 Snort rules read...
1195 Option Chains linked into 127 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->pass->activation->dynamic->alert->log->trapdb
RTN: any any any any
     108, 111, 2231, ..., ...
RTN: any any any 80
     1933, 109, ..., ...
RTN: 10.0.0.0/8 any !10.0.0.0/8
     1000001, 1000002, ...
...
+++++++++++++++++++++++++++++++++++++++++++++++++++
...blah...
...blah...


/Martin Olsson






More information about the Snort-devel mailing list