[Snort-devel] Re: New feature wanted - rules-order-dump

Martin Roesch roesch at ...402...
Tue May 27 07:29:01 EDT 2003


You can get this data dumped as a DEBUG mode in Snort, it's been in 
there for years.  I don't think the SIDs print out though, just the 
"rule number" which is the enumeration of each rule as it loads.  I'm 
not sure how relevant the data would be given the way that the 
detection engine works these days.  We currently run the data through 
the pattern matcher first and select the OTNs that can possibly fire, 
then test those OTNs in the order that they get linked into the list 
IIRC.


      -Marty


On Tuesday, May 27, 2003, at 08:50 AM, Martin Olsson wrote:

>
> It would be nice if there was a switch to snort that told it to dump an
> ASCII-representation of the rules order and chains. Maybe it could be a
> sub-option to the -T switch?
>
> It doesn't have to be very advanced. Just print a line with the RTN
> followed by a long list of all the sids in its chain, then the next RTN
> followed by its sids...
>
> Example:
> snort -c snort.conf -l /var/snort -T dump-rules-order
> ...blah...
> ...blah...
> 1195 Snort rules read...
> 1195 Option Chains linked into 127 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Rule application order: ->pass->activation->dynamic->alert->log->trapdb
> RTN: any any any any
>      108, 111, 2231, ..., ...
> RTN: any any any 80
>      1933, 109, ..., ...
> RTN: 10.0.0.0/8 any !10.0.0.0/8
>      1000001, 1000002, ...
> ...
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> ...blah...
> ...blah...
>
>
> /Martin Olsson
>
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list