[Snort-users] BASE Feature Suggestion to Display Rule Source

McCash, John John.McCash at ...10979...
Thu Sep 15 16:19:17 EDT 2005


Hi All,
	I'm sure there's a BASE development list somewhere, but I'm so
far behind on _this_ list that I don't even want to go looking for it.
As everyone's well aware, since sourcefire changed their licensing
model, the output you get when clicking on the <snort> link in an alert
displayed in BASE or ACID has gotten markedly less useful because you
can no longer see the text of the rule. Consequently, it's gotten much
more difficult (unless the specific rule you're looking up is one of the
well documented ones) to determine whether what you're looking at is
likely to be a false positive. This is especially true if, like myself,
you're making heavy use of the bleedingsnort rules as well as
sourcefire's.

	From the BASE config file, it looks like the <snort> tag is more
or less just forwarded to the sourcefire URL with a sid number, and the
resultant page is displayed. It strikes me (as a non PHP programmer, no
flames please) that it should not be terribly difficult to have BASE
instead display a web page with two frames, and put the sourcefire stuff
in one, while simultaneously displaying the full text of the referenced
rule (pulled from a locally maintained copy of all rules in use) in the
other.

	The line in the base config that defines how the <snort>
reference tag is processed could just forward to a specified BASE URL on
the local server, and be processed as a separate page...

	Anybody else think this is a good idea?

		John
------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]




More information about the Snort-users mailing list