[Snort-devel] rules management tools

beenph beenph at ...2499...
Thu Mar 31 12:30:59 EDT 2011


I think a database schema for rule is one of the best option.
The UI you use to manage them or the console tools developped
afterward to extract certain
configuration become pretty mutch a user choice .

Importing rules and managing revisions over time is also important,
for history keeping.

Since in the life of your sensor you could have events that triggered
on sid: X rev: 1,2,3,4,etc..

Mabey a public way to manage rule could be brewed. And this also
include multiple rule source like (VRT rules, ET rules and whatever
rules)

There is a few reason why this should be the obvious option. And
especially in a multiple sensor deployment.

Hand managing rules for multiple sensors can become quite a mess rapidly.

But beside rule management, configuration management is also an
important aspect for managing sensors.

But from there it would greatly depend on how you intend to build such
schema and guidelines for rule management.

Some options could be good for some deployment and useless for others.

I think that if you plan to build something it should be syntax
abstract unless your ready to hit a wall when the syntax changes.

I think the main key for rule management is

Rule scope : (origin)
Rule Signature id : sid
Rule Category : [Probable]
Rule Priority: [Probable]
Rule revision : rev

>From there you could abstract configuration based on sensors in an other table.
You could also want to use category and priority  but since they might
be left to interpretation, unless you make your schema flexible enough
for
unresolved category,priority (in the possible case that it happen).
Its also also automaticly add category,priority to an other table part
of the schema,
this could also help you managing rules in bulk, but i guess you would
need to be carefull if you lean toward that way not to end up having
5 category for the actualy same literal  ex: WEB_recon,WEB-recon,
WEBRecon, WEBReconnaissance, etc...

So i think a pre-filtering by a human for unresolved "category" and
priority could also be something interesting.

Also if you end up transforming some rules for your need you might
want to keep track of those changes by an history table and thus you
can
automatically or be able to have a human accecpt the previously
changed attributes if a new revision of a rule comes out in a package.
(For example $HOME_NET with $WHATEVER_NET in a particular sensor case,
or port X to port Y or event custom priority,category).

And you would probably want to keep track of threshold,suppress.

Hopefully this can give some ideas...


-elz











On Thu, Mar 31, 2011 at 12:05 PM, CleBeer <clebeer at ...2499...> wrote:
> I thinking in some thing like base with a web ui, this way we don't create a
> dependence of desktop OSes.
> Other idea is port the ruleset to a database and make some script that
> create de ruleset files reading the database.
> what you guys think about it?
>
>
> cheers
>
> On Thu, Mar 31, 2011 at 12:47 PM, Nigel Houghton <nhoughton at ...402...>
> wrote:
>>
>> On Thu, 31 Mar 2011 11:28:59 -0400, Joel Esler wrote:
>> > Tell us what your tool will do differently than the ones out now?
>> >
>> > I love to see innovation with products around Snort.
>> >
>> > --
>> > Sent from my iPhone
>> > Forgive my misspellings and briefness
>> >
>> > On Mar 31, 2011, at 9:52 AM, Pat John <t0p1001 at ...1389...> wrote:
>> >
>> >> Hi all:
>> >> i am planning develop a tools that could make it easier to manage
>> >> rules,
>> >> any one interested?
>>
>> Given the tools available at the moment, if I were to produce something
>> around the tasks associated with rule management, I think I might
>> concentrate on a graphical front end for one of the cli tools.
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT Department of Intelligence Excellence
>> http://vrt-blog.snort.org/ && http://labs.snort.org/
>>
>>
>> ------------------------------------------------------------------------------
>> Create and publish websites with WebMatrix
>> Use the most popular FREE web apps or write code yourself;
>> WebMatrix provides all the features you need to develop and
>> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
> --
> -----------------------------
> Cleber S. Brandão
> Mob. +55 011 9333-9429
>
> clebeerpub.blogspot.com
> www.snort.org.br
>   ,, _
>  o"    )~
>    '' ''
> http://www.linkedin.com/in/clebeer
> -----------------------------------
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list