[Oisf-wg-ruleslanguage] YAML

[Frank Knobbe]

On Fri, 2009-08-07 at 09:25 -0400, Matt C wrote:
> In the rules language I think this could be very useful:
> 
> http://en.wikipedia.org/wiki/YAML#Relational_trees
> 
> Basically you define one rule, and then subsequent rules could
> reference the base rule, only providing changes.  Say for example 500
> snort rules all have the same header, "alert tcp $EXTERNAL_NET any ->
> $HOME_NET any".  Why specify that on every single rule?  Why not
> specify the header on one rule, and then reference that rule from all
> of the other rules?


Because if you break it out, each rule does not longer stand on its own.
Forget about using CVS for the signature repository then :) It will also
make sharing of signatures harder since you know also have to refer and
share base-rules. It might turn into a mess, or less sharing of
signatures (think ISC).

I think each rule should still stand on its own. Yes, it may appear
redundant if you look at the rules file, but you can disable a single
rule, or add/remove/change a single rule, without having to back track
through the rules file to see what sigs are affected.

Let's say you have two web signature rules. If you make it three (one
base rule, and two references with additional matches), and you want to
change the src/dst on a rule, that change would affect two rules now. So
if you only wanted to change one, you'd have to split them back into two
separate rules.

I really think you want to keep it simple and leave each rule stand on
its own.

Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-wg-ruleslanguage/attachments/20090808/c41ea897/attachment.sig>