[Snort-sigs] Signature Naming Convention
bmc at ...95...
Tue Apr 16 10:57:38 EDT 2002
According to Warchild:
> On Tue, Apr 16, 2002 at 10:15:34AM -0500, Robert Wagner wrote:
> > I was wondering if we could use a standard naming convention across the
> > rules such that:
> > "INFO MSN chat access" in the logs would prompt me to look at the info.rules
> > if we want to change or disable the rule. This rule is located in the
> > policy.rules. Should it read: "POLICY MSN chat access"? All of the
> > policy.rules say INFO....
> > Any ideas? Is it just me?
> I totally agree. Since I rely heavily on ACID for my interface into our
> sensor, a standard naming convention for the rules makes analyzing the gobs
> of alerts much easier.
> Another thing to consider is rules that detect different variants of one
> common attack -- x86 NOOP comes to mind. If more than one rule has the same
> name (actually, the same 'msg' field), this makes sorting searching a bit
> more complicated. At the same time, do I really care that a particular
> NOOP sled is one type vs the other? It depends.
> The closest thing we have to categorizing rules right now is the
> 'classification' field. While it doesn't indicate what file it came from,
> it does help do basic grouping of similar rule types.
> Changing all of your own rules could be done in a handful of lines with
> your scripting language of choice, but I agree -- it might be worthwhile to
> make this change in the rules that a distributed w/ Snort.
Yes yes. Chris has sent me name space colisions, I just havn't got to
that yet. Its on my TODO list, and I'm actually working on it right
now that yall reminded me.
More information about the Snort-sigs