[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff
Matt Jonkman
jonkman at jonkmans.com
Thu Aug 6 18:40:42 UTC 2009
I didn't realize yaml was indent strict. But it also forbids tabs. I
think those two things in parallel would drive us all buggy...
Thoughts?
Matt
Shirkdog wrote:
> YAML has decent support across the languages (as mentioned
> previously), take a look at some sample data.
>
> http://www.yaml.org/start.html
>
> ---
> Shirkdog
> Free your Mind...
> http://www.shirkdog.us
>
>
>
> On Tue, Aug 4, 2009 at 10:09 PM, Nick Rogness<nick at rogness.net> wrote:
>> On Fri, 2009-07-31 at 10:39 -0700, Brian Rectanus wrote:
>>>> I don't particularly care for XML for this. While it is nice for
>>>> interoperability (ie for machines to read), it is a real pain to write
>>>> rules with this syntax (too verbose and too error prone to write by
>>>> hand in vim, heh). I'd much rather see a simpler rule language that
>>>> is easy for humans to write and, probably more important, read and
>>>> understand.
>>> I agree. My use of tags was just a section break to signal the parser
>>> that a different type of rule follows. I should have used "[snort]", but
>>> then Shirkdog would have complained that it looks too much like
>>> Windows ;)
>>> Human readable and easy to read/write/remember/comprehend are key.
>> I would tend to agree with XML or something similar. The problem with
>> using 'your own language' is that it is a bitch to build any type of
>> frontend GUI helper, rules integrity checker, integration with other
>> vendors, etc. At least with XML, pretty much every language has
>> libraries for parsing syntactical errors, etc. Additionally, the
>> problem with snort and snort_inline in this manner was the ability to
>> change rule syntax after the fact or versioning rule syntax without
>> changing the parser code. If you use something like XML, your parser
>> code will be fairly straightforward and can utilize an existing C XML
>> library like libXML2.
>>
>> Although I agree that XML is a very heavyweight for writing rules in
>> VI or EMACS, I don't see a better way to write a parser that your
>> don't have to change every time person X adds new rule feature Y.
>> Maybe there is some hybrid approach to solve both problems...maybe
>> separating Syntax from Semantics?
>>
>> Nick Rogness
>> _______________________________________________
>> Oisf-wg-ruleslanguage mailing list
>> Oisf-wg-ruleslanguage at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>>
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Oisf-wg-ruleslanguage
mailing list