[Snort-devel] rules management tools

Nigel Houghton nhoughton at ...402...
Thu Mar 31 12:32:00 EDT 2011


On Thu, 31 Mar 2011 13:05:23 -0300, CleBeer wrote:
> I thinking in some thing like base with a web ui, this way we don't 
> create a dependence of desktop OSes.
> Other idea is port the ruleset to a database and make some script 
> that create de ruleset files reading the database.
> what you guys think about it?

This aligns somewhat with our new rule management system that is 
currently in development. That is, we manage the rules in a database 
and produce the individual rule files from queries to the database. We 
are incorporating many other things to go along with the system 
(everything that revolves around rule creation, testing, sid 
assignment, revision increments, rule deletions, modifications, 
cross-referencing, other internal processes etc...) which unfortunately 
makes our schema rather large and considerably more complex than a tool 
like you are suggesting would require. Having said that, for simple 
rule maintenance tasks a database schema should be relatively simple to 
create.

Using a database would certainly make the creation of a GUI easier to 
accomplish, and for cross-platform purposes the web UI would more than 
likely be the best choice. (I would write it in Perl, but Python would 
be good too)

It would also require the creation of a tool to import the data into 
the database after using something like Pulled Pork to download. The 
best thing to do would be to create a patch for Pulled Pork to do this 
work once the schema is written, that way there is one tool to download 
the rules and put them into the storage area for management purposes. 
I'm sure JJ would welcome the addition of this feature to Pulled Pork. 
The functionality to edit Pulled Pork configuration within the rule 
management tool would also prove useful to many as well. :D

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/




More information about the Snort-devel mailing list