[Snort-devel] rules management tools

Martin Holste mcholste at ...2499...
Fri Apr 1 14:35:28 EDT 2011

MVC web GUI I think is a given.  What are the core features that the
community needs?  My rough draft:
 - All of the features PulledPork gives us (auto flowbit inclusion,
disable/enable, replace, etc.)
 - Per-sensor configuration variable management (if not already
implied by the above)
 - Search by msg, content, etc.
 - Interface to tag rules
 - Snort-parsable output so that sensors grab their rules from the
central web GUI like http://rules/compile_rules?sensor_id=1
 - Resolve and download all references to a local cache so when you
search, you also search the content of the references (so when I want
to find a rule that hunts Conficker, I find it even if it's not in the
rule name)

Those should all be trivial to implement.  Here are some tougher ones:
 - Rule similarity detector (maybe some sort of Levenshtein distance
calculation with other content matches)
 - Load calculator given a static "test" pcap derived from local
traffic at a point in time
 - Offline alerter (similar to above, but instead of load calculation
on a constant pcap, takes a pcap upload, runs it against arbitrary
rules, returns alerts generated)

On Thu, Mar 31, 2011 at 11:32 AM, Nigel Houghton
<nhoughton at ...402...> wrote:
> On Thu, 31 Mar 2011 13:05:23 -0300, CleBeer wrote:
>> I thinking in some thing like base with a web ui, this way we don't
>> create a dependence of desktop OSes.
>> Other idea is port the ruleset to a database and make some script
>> that create de ruleset files reading the database.
>> what you guys think about it?
> This aligns somewhat with our new rule management system that is
> currently in development. That is, we manage the rules in a database
> and produce the individual rule files from queries to the database. We
> are incorporating many other things to go along with the system
> (everything that revolves around rule creation, testing, sid
> assignment, revision increments, rule deletions, modifications,
> cross-referencing, other internal processes etc...) which unfortunately
> makes our schema rather large and considerably more complex than a tool
> like you are suggesting would require. Having said that, for simple
> rule maintenance tasks a database schema should be relatively simple to
> create.
> Using a database would certainly make the creation of a GUI easier to
> accomplish, and for cross-platform purposes the web UI would more than
> likely be the best choice. (I would write it in Perl, but Python would
> be good too)
> It would also require the creation of a tool to import the data into
> the database after using something like Pulled Pork to download. The
> best thing to do would be to create a patch for Pulled Pork to do this
> work once the schema is written, that way there is one tool to download
> the rules and put them into the storage area for management purposes.
> I'm sure JJ would welcome the addition of this feature to Pulled Pork.
> The functionality to edit Pulled Pork configuration within the rule
> management tool would also prove useful to many as well. :D
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list