[Snort-users] BASE Feature Suggestion to Display Rule Source

Joel Esler joel.esler at ...1935...
Thu Sep 15 17:01:07 EDT 2005


It is a good idea, and I think the BASE team has that slated for the  
work.  It's a bit harder to pull a rule out of a text file than to  
just link to a webpage, but it's certainly something they can look into.

BTW..  BASE's website is at http://www.sourceforge.net/projects/ 
secureideas

They have forums as well there.

Joel Esler
SOURCEfire
On Sep 15, 2005, at 7:18 PM, McCash, John wrote:

> Hi All,
>     I'm sure there's a BASE development list somewhere, but I'm so
> far behind on _this_ list that I don't even want to go looking for it.
> As everyone's well aware, since sourcefire changed their licensing
> model, the output you get when clicking on the <snort> link in an  
> alert
> displayed in BASE or ACID has gotten markedly less useful because you
> can no longer see the text of the rule. Consequently, it's gotten much
> more difficult (unless the specific rule you're looking up is one  
> of the
> well documented ones) to determine whether what you're looking at is
> likely to be a false positive. This is especially true if, like  
> myself,
> you're making heavy use of the bleedingsnort rules as well as
> sourcefire's.
>
>     From the BASE config file, it looks like the <snort> tag is more
> or less just forwarded to the sourcefire URL with a sid number, and  
> the
> resultant page is displayed. It strikes me (as a non PHP  
> programmer, no
> flames please) that it should not be terribly difficult to have BASE
> instead display a web page with two frames, and put the sourcefire  
> stuff
> in one, while simultaneously displaying the full text of the  
> referenced
> rule (pulled from a locally maintained copy of all rules in use) in  
> the
> other.
>
>     The line in the base config that defines how the <snort>
> reference tag is processed could just forward to a specified BASE  
> URL on
> the local server, and be processed as a separate page...
>
>     Anybody else think this is a good idea?
>
>         John
> ---------------------------------------------------------------------- 
> --------------------------
> This message is for the designated recipient only and may
> contain privileged, proprietary, or otherwise private information.
> If you have received it in error, please notify the sender
> immediately and delete the original.  Any unauthorized use of
> this email is prohibited.
> ---------------------------------------------------------------------- 
> --------------------------
> [mf2]
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.  
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list