[Oisf-wg-ruleslanguage] YAML
Matt C
mbc8434 at gmail.com
Thu Aug 6 02:48:01 UTC 2009
Using YAML you could do something like this:
---
type: alert
proto: tcp
saddr: any
sport: any
daddr: any
dport: any
content:"| 00 00 00 00 |"
msg: "some message"
---
type: alert
proto: udp
saddr: any
sport: any
daddr: any
dport: any
content:"| 01 02 03 04 |"
msg: "some message 2"
---
ect...
Also their are many possibilities. Want to handle excluding certain IP
addresses? Just keep nesting....
saddr:
- base: any
- exclude:
- 10.1.1.1
- 10.2.3.4
- 10.5.6.7
If using tabs is not good for those who use VI, than YAML has an alternate
syntax that uses [] for lists and {} for dictionaries. Both will be read
just the same by the parser and you mix and match.
Something along these lines....
saddr:
- base: any
- exclude: [ 10.1.1.1, 10.2.3.4, 10.5.6.7 ]
Matt C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-wg-ruleslanguage/attachments/20090805/cf5a0267/attachment-0002.html>
More information about the Oisf-wg-ruleslanguage
mailing list