[Snort-devel] rules management tools
nhoughton at ...402...
Thu Mar 31 12:32:00 EDT 2011
On Thu, 31 Mar 2011 13:05:23 -0300, CleBeer wrote:
> I thinking in some thing like base with a web ui, this way we don't
> create a dependence of desktop OSes.
> Other idea is port the ruleset to a database and make some script
> that create de ruleset files reading the database.
> what you guys think about it?
This aligns somewhat with our new rule management system that is
currently in development. That is, we manage the rules in a database
and produce the individual rule files from queries to the database. We
are incorporating many other things to go along with the system
(everything that revolves around rule creation, testing, sid
assignment, revision increments, rule deletions, modifications,
cross-referencing, other internal processes etc...) which unfortunately
makes our schema rather large and considerably more complex than a tool
like you are suggesting would require. Having said that, for simple
rule maintenance tasks a database schema should be relatively simple to
Using a database would certainly make the creation of a GUI easier to
accomplish, and for cross-platform purposes the web UI would more than
likely be the best choice. (I would write it in Perl, but Python would
be good too)
It would also require the creation of a tool to import the data into
the database after using something like Pulled Pork to download. The
best thing to do would be to create a patch for Pulled Pork to do this
work once the schema is written, that way there is one tool to download
the rules and put them into the storage area for management purposes.
I'm sure JJ would welcome the addition of this feature to Pulled Pork.
The functionality to edit Pulled Pork configuration within the rule
management tool would also prove useful to many as well. :D
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-devel