[Snort-users] upgraded some tools (snortplot)

Brian bmc at ...950...
Mon Oct 29 21:42:03 EST 2001


According to Martin Roesch:
> Brian wrote:
> Sid 485: no classtype assigned, msg field has parenthetical statement
> within
> Sid 499: classtype assigned
> Sid 480: no classtype assigned

Yes yes, I screwed up.  Sorry.

> > > I do not mean to belittle anybody's work here, I am just saying that maybe
> > > we need a rule creation metaengine, probably based on M4 or some macro
> > > language which will generate the rules.
> > 
> > No, its not the problem of the rules.  its something else.
> 
> Um, everything is working the way it was written to, there are no
> problems here except for apparent inconsistency because of the way the
> rules were written.  Maybe I should add the "[**]" back to the msg field
> for syslog output so there's no confusion.  

Nope, I should just make my rules parser that I validate rules with
stricter before I commit them. 

> I don't think that running things thru M4 would have helped in this case
> particularly, it's perfectly valid to leave out pieces of the rules,
> there are only a few things that are *required* to write a valid Snort
> rule, which makes life easier for everyone in general.

I agree.  The snort ruleset is the most readable signature set I have
seen yet.  m4 is nowhere near as readable to normal people.

-brian




More information about the Snort-users mailing list