[Oisf-wg-ruleslanguage] Seperating Matching from Actions
Nick Rogness
oisf at rogness.net
Fri Aug 7 23:54:21 UTC 2009
Regardless of the language, I have a suggestion more on the semantics
side. Would it make sense to seperate the matching and actions pieces
of the rules to use a more modular (reusable) rules language.
Consider:
# Matching criteria
match WWW {
proto: TCP
port: 80
}
match WWW_EXPLOIT {
include WWW
content: "SOME_EXPLOIT"
}
match LOCAL_WWW {
include WWW
ipsrc: $HOME_NET
}
# Perform actions/call plugins/etc
match_rule (WWW_EXPLOIT && ! LOCAL_WWW) {
action: reset
plugin: report_exploit_to_cluster
...
}
match_rule (LOCAL_WWW) {
action: allow
}
This allows users to reuse/inherit matching and lets users build their
own logic for a sequence of things to do when matches occur. What do
you all think?
--
Nick Rogness
More information about the Oisf-wg-ruleslanguage
mailing list