[Snort-users] upgraded some tools (snortplot)
bmc at ...950...
Mon Oct 29 21:42:03 EST 2001
According to Martin Roesch:
> Brian wrote:
> Sid 485: no classtype assigned, msg field has parenthetical statement
> Sid 499: classtype assigned
> Sid 480: no classtype assigned
Yes yes, I screwed up. Sorry.
> > > I do not mean to belittle anybody's work here, I am just saying that maybe
> > > we need a rule creation metaengine, probably based on M4 or some macro
> > > language which will generate the rules.
> > No, its not the problem of the rules. its something else.
> Um, everything is working the way it was written to, there are no
> problems here except for apparent inconsistency because of the way the
> rules were written. Maybe I should add the "[**]" back to the msg field
> for syslog output so there's no confusion.
Nope, I should just make my rules parser that I validate rules with
stricter before I commit them.
> I don't think that running things thru M4 would have helped in this case
> particularly, it's perfectly valid to leave out pieces of the rules,
> there are only a few things that are *required* to write a valid Snort
> rule, which makes life easier for everyone in general.
I agree. The snort ruleset is the most readable signature set I have
seen yet. m4 is nowhere near as readable to normal people.
More information about the Snort-users