[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff
Shirkdog
shirkdog at gmail.com
Wed Aug 5 15:28:27 UTC 2009
YAML has decent support across the languages (as mentioned
previously), take a look at some sample data.
http://www.yaml.org/start.html
---
Shirkdog
Free your Mind...
http://www.shirkdog.us
On Tue, Aug 4, 2009 at 10:09 PM, Nick Rogness<nick at rogness.net> wrote:
> On Fri, 2009-07-31 at 10:39 -0700, Brian Rectanus wrote:
>>> I don't particularly care for XML for this. While it is nice for
>>> interoperability (ie for machines to read), it is a real pain to write
>>> rules with this syntax (too verbose and too error prone to write by
>>> hand in vim, heh). I'd much rather see a simpler rule language that
>>> is easy for humans to write and, probably more important, read and
>>> understand.
>
>> I agree. My use of tags was just a section break to signal the parser
>> that a different type of rule follows. I should have used "[snort]", but
>> then Shirkdog would have complained that it looks too much like
>> Windows ;)
>
>> Human readable and easy to read/write/remember/comprehend are key.
>
> I would tend to agree with XML or something similar. The problem with
> using 'your own language' is that it is a bitch to build any type of
> frontend GUI helper, rules integrity checker, integration with other
> vendors, etc. At least with XML, pretty much every language has
> libraries for parsing syntactical errors, etc. Additionally, the
> problem with snort and snort_inline in this manner was the ability to
> change rule syntax after the fact or versioning rule syntax without
> changing the parser code. If you use something like XML, your parser
> code will be fairly straightforward and can utilize an existing C XML
> library like libXML2.
>
> Although I agree that XML is a very heavyweight for writing rules in
> VI or EMACS, I don't see a better way to write a parser that your
> don't have to change every time person X adds new rule feature Y.
> Maybe there is some hybrid approach to solve both problems...maybe
> separating Syntax from Semantics?
>
> Nick Rogness
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>
More information about the Oisf-wg-ruleslanguage
mailing list