[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff
Nick Rogness
nick at rogness.net
Wed Aug 5 02:09:10 UTC 2009
On Fri, 2009-07-31 at 10:39 -0700, Brian Rectanus wrote:
>> I don't particularly care for XML for this. While it is nice for
>> interoperability (ie for machines to read), it is a real pain to write
>> rules with this syntax (too verbose and too error prone to write by
>> hand in vim, heh). I'd much rather see a simpler rule language that
>> is easy for humans to write and, probably more important, read and
>> understand.
> I agree. My use of tags was just a section break to signal the parser
> that a different type of rule follows. I should have used "[snort]", but
> then Shirkdog would have complained that it looks too much like
> Windows ;)
> Human readable and easy to read/write/remember/comprehend are key.
I would tend to agree with XML or something similar. The problem with
using 'your own language' is that it is a bitch to build any type of
frontend GUI helper, rules integrity checker, integration with other
vendors, etc. At least with XML, pretty much every language has
libraries for parsing syntactical errors, etc. Additionally, the
problem with snort and snort_inline in this manner was the ability to
change rule syntax after the fact or versioning rule syntax without
changing the parser code. If you use something like XML, your parser
code will be fairly straightforward and can utilize an existing C XML
library like libXML2.
Although I agree that XML is a very heavyweight for writing rules in
VI or EMACS, I don't see a better way to write a parser that your
don't have to change every time person X adds new rule feature Y.
Maybe there is some hybrid approach to solve both problems...maybe
separating Syntax from Semantics?
Nick Rogness
More information about the Oisf-wg-ruleslanguage
mailing list