[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff

[Frank Knobbe]

> Matt Jonkman wrote:
> > For Snort Syntax Support:
> >
> >     * How to handle the problems associated with adding directives to
> > support new functionality and divergence/compatibility.
> >     * Which Snort syntax directives are used frequently enough to be
> > implemented in the new engine for backwards compatibility

Why not implement most if not all Snort rule options? The language could
be constructed such that snort alerts are written as:

<snort>
alert tcp $HOME_NET ...etc
</snort>

or:

snort alert $HOME_NET ...etc

The later would require each existing Snort rule to be prefixed, so
having some sort of "bracket" around sigs to classify them might be the
better option. Then you could something like this:

<snort>
include emerging-web.rules
include emerging-dos.rules
</snort>

<oisf>
...
</oisf>

Maybe even:
<bro>
...
</bro>


The rule parser just needs to be able to identify what rule type it's
parsing into your internal trees. You just call different parsing
functions depending on rule type.

Thoughts?

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-wg-ruleslanguage/attachments/20090730/e656de77/attachment.sig>