[Snort-sigs] Signature Naming Convention

Warchild warchild at ...288...
Tue Apr 16 09:07:07 EDT 2002


On Tue, Apr 16, 2002 at 10:15:34AM -0500, Robert Wagner wrote:
> I was wondering if we could use a standard naming convention across the
> rules such that:
> "INFO MSN chat access" in the logs would prompt me to look at the info.rules
> if we want to change or disable the rule.  This rule is located in the
> policy.rules. Should it read: "POLICY MSN chat access"?  All of the
> policy.rules say INFO....
> 
> Any ideas?  Is it just me?

I totally agree.  Since I rely heavily on ACID for my interface into our
sensor, a standard naming convention for the rules makes analyzing the gobs
of alerts much easier.

Another thing to consider is rules that detect different variants of one
common attack -- x86 NOOP comes to mind.  If more than one rule has the same
name (actually, the same 'msg' field), this makes sorting searching a bit
more complicated.   At the same time, do I really care that a particular
NOOP sled is one type vs the other?  It depends. 

The closest thing we have to categorizing rules right now is the
'classification' field.  While it doesn't indicate what file it came from,
it does help do basic grouping of similar rule types.

Changing all of your own rules could be done in a handful of lines with
your scripting language of choice, but I agree -- it might be worthwhile to
make this change in the rules that a distributed w/ Snort.

for what its worth,

-warchild   





More information about the Snort-sigs mailing list