[Snort-users] Detailed Rule Syntax

Martin Roesch roesch at ...421...
Fri Mar 2 02:01:49 EST 2001


Sounds great, I'd love to see it!

    -Marty

Rovert John F DLVA wrote:
> 
> Marty
> 
>  I am just starting to "code" the rules grammar into
>  (E)BNF maybe this will help.
> 
>  If you like I will send a copy of this to the list
>  once I have made a bit more headway into this.
> 
>  Have to take the tests for the GCIH this week ;)
> 
> John
> 
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...421...]
> Sent: Wednesday, February 28, 2001 12:27 AM
> To: cjclark at ...485...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Detailed Rule Syntax
> 
> Ok, the docs need to be updated (maintained) to reflect reality a bit
> more.  Please be aware that in addition to writing a lot of the source
> code, I've written much (most?) of the documentation and there are holes
> and gaps.  Most of Snort is developed between the hours of 11PM and 3AM,
> so sometimes I don't do as good a job as I'd like.  I'm always willing
> to accept donations of other people's efforts, of course. :)
> 
> Anyway, short of the source code there is no other more detailed source
> of documentation on the rules formats and foibles than the Writing Snort
> Rules document, sorry....
> 
>     -Marty
> 
> "Crist J. Clark" wrote:
> >
> > On Mon, Feb 26, 2001 at 11:04:40PM -0500, Martin Roesch wrote:
> > > More detailed than http://www.snort.org/snort_rules.html?
> >
> > You mentioned in a separate mail using a backslash (\) to escape a
> > colon (:). I did a, |3a|. It worked.
> >
> > Well, that's the kind of detailed stuff I can't seem to find in
> > http://www.snort.org/snort_rules.html. There is mention of using the
> > escape character in the 'msg' information, but nowhere else. After I
> > fixed the colon problem, snort complained that the 'depth' was in the
> > wrong place. But that that is not mentioned on the page is not too bad
> > since it is well flagged in the error message.
> >
> > Other kinds of details (just examples): How long can a 'content' line
> > be? What kinds of whitespace are allowed/not allowed? When else does
> > option order count? What about port numbers for ICMP?
> >
> > Do I remember something about using multiple 'content' lines in a
> > single rule when I saw you speak at one of the SANS conferences? Was I
> > imagining things? Recalling a feature for the future? Or does this
> > exist? Where is it documented? Or am I confusing it with
> > 'content-list?'
> >
> > And the figure numbering is off. That really had me confused for a few
> > minutes. %)
> >
> > But just in case it sounds like I am whining, I like Snort, I use
> > Snort. I just want to know if there is a more detailed (but need not
> > be beginner friendly) document about rule syntax.
> >
> > > "Crist J. Clark" wrote:
> > > >
> > > > Is there a /detailed/ document outlining the syntax for Snort 1.7
> > > > rules? I just spend a half-hour rediscovering the fact that the rule
> > > > parser is not clever enough to deal with colons inside of a 'content'
> > > > option (why do we need to bother with quotes around the content-data
> > > > if the data are not really quoted?). How about just a list of
> > > > "reserved" characters in rules?
> > > > --
> > > > Crist J. Clark                           cjclark at ...485...
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > > --
> > > Martin Roesch
> > > roesch at ...421...
> > > http://www.snort.org
> >
> > --
> > Crist J. Clark                           cjclark at ...485...
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list