[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff
Shirkdog
shirkdog at gmail.com
Thu Jul 30 21:40:54 UTC 2009
I agree, you want this to be as OPEN as possible. XML is a great idea
to store this stuff.
Something like
<oisf signature-type="snort">
</oisf>
---
Shirkdog
Free your Mind...
http://www.shirkdog.us
On Thu, Jul 30, 2009 at 3:28 PM, Frank Knobbe<frank at knobbe.us> wrote:
>> Matt Jonkman wrote:
>> > For Snort Syntax Support:
>> >
>> > * How to handle the problems associated with adding directives to
>> > support new functionality and divergence/compatibility.
>> > * Which Snort syntax directives are used frequently enough to be
>> > implemented in the new engine for backwards compatibility
>
> Why not implement most if not all Snort rule options? The language could
> be constructed such that snort alerts are written as:
>
> <snort>
> alert tcp $HOME_NET ...etc
> </snort>
>
> or:
>
> snort alert $HOME_NET ...etc
>
> The later would require each existing Snort rule to be prefixed, so
> having some sort of "bracket" around sigs to classify them might be the
> better option. Then you could something like this:
>
> <snort>
> include emerging-web.rules
> include emerging-dos.rules
> </snort>
>
> <oisf>
> ...
> </oisf>
>
> Maybe even:
> <bro>
> ...
> </bro>
>
>
> The rule parser just needs to be able to identify what rule type it's
> parsing into your internal trees. You just call different parsing
> functions depending on rule type.
>
> Thoughts?
>
> -Frank
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>
>
More information about the Oisf-wg-ruleslanguage
mailing list