[Snort-sigs] Signature Naming Convention

Brian bmc at ...95...
Tue Apr 16 10:57:38 EDT 2002


According to Warchild:
> On Tue, Apr 16, 2002 at 10:15:34AM -0500, Robert Wagner wrote:
> > I was wondering if we could use a standard naming convention across the
> > rules such that:
> > "INFO MSN chat access" in the logs would prompt me to look at the info.rules
> > if we want to change or disable the rule.  This rule is located in the
> > policy.rules. Should it read: "POLICY MSN chat access"?  All of the
> > policy.rules say INFO....
> > 
> > Any ideas?  Is it just me?
> 
> I totally agree.  Since I rely heavily on ACID for my interface into our
> sensor, a standard naming convention for the rules makes analyzing the gobs
> of alerts much easier.
> 
> Another thing to consider is rules that detect different variants of one
> common attack -- x86 NOOP comes to mind.  If more than one rule has the same
> name (actually, the same 'msg' field), this makes sorting searching a bit
> more complicated.   At the same time, do I really care that a particular
> NOOP sled is one type vs the other?  It depends. 
> 
> The closest thing we have to categorizing rules right now is the
> 'classification' field.  While it doesn't indicate what file it came from,
> it does help do basic grouping of similar rule types.
> 
> Changing all of your own rules could be done in a handful of lines with
> your scripting language of choice, but I agree -- it might be worthwhile to
> make this change in the rules that a distributed w/ Snort.

Yes yes.  Chris has sent me name space colisions, I just havn't got to
that yet.  Its on my TODO list, and I'm actually working on it right
now that yall reminded me.

-b




More information about the Snort-sigs mailing list