[Snort-devel] [PATCH]: Fix Snort references parsing

Yoann Vandoorselaere yoann.v at ...2801...
Fri Feb 17 07:37:01 EST 2006


On Fri, 2006-02-17 at 09:13 -0600, BOfH wrote:
> On  0, Yoann Vandoorselaere <yoann.v at ...2801...> scribed:
> > On Thu, 2006-02-16 at 17:41 -0500, Matthew Watchinski wrote:
> > > Just an FYI, the VRT rule merge and build system strips spaces after 
> > > "x:" by default, as this problem has occured with other keywords.  You 
> > > shouldn't ever see this issue in any of the VRT Certified rule packages.
> > 
> > Yes, the 'reference: ' issue was seen with bleeding snort rulesets. I'd
> > still suggest, however, that the spaces be stripped (as it is done for
> > some others Snort keywords), for sanity.
>  
> I'd rather see the rules themselves fixed.

Sure, but then for consistency reasons, spaces should probably not be
stripped out of the classtype value. You should get one or the other
behavior, but not both. 

This is a matter of opinion, and I leave it to Snort developers, but in
case where the decision is that space should not be stripped, I would
strongly suggest warning the user if such characters are found ahead of
these values.

-- 
Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
http://www.prelude-ids.com





More information about the Snort-devel mailing list