[Oisf-wg-ruleslanguage] OISF Rules Syntax Working Group Kickoff
Brian Rectanus
brectanu at gmail.com
Fri Jul 31 17:39:04 UTC 2009
I don't particularly care for XML for this. While it is nice for
interoperability (ie for machines to read), it is a real pain to write rules
with this syntax (too verbose and too error prone to write by hand in vim,
heh). I'd much rather see a simpler rule language that is easy for humans
to write and, probably more important, read and understand.
On Thu, Jul 30, 2009 at 2:40 PM, Shirkdog <shirkdog at gmail.com> wrote:
> I agree, you want this to be as OPEN as possible. XML is a great idea
> to store this stuff.
>
> Something like
>
> <oisf signature-type="snort">
>
> </oisf>
>
> ---
> Shirkdog
> Free your Mind...
> http://www.shirkdog.us
>
>
>
> On Thu, Jul 30, 2009 at 3:28 PM, Frank Knobbe<frank at knobbe.us> wrote:
> >> Matt Jonkman wrote:
> >> > For Snort Syntax Support:
> >> >
> >> > * How to handle the problems associated with adding directives to
> >> > support new functionality and divergence/compatibility.
> >> > * Which Snort syntax directives are used frequently enough to be
> >> > implemented in the new engine for backwards compatibility
> >
> > Why not implement most if not all Snort rule options? The language could
> > be constructed such that snort alerts are written as:
> >
> > <snort>
> > alert tcp $HOME_NET ...etc
> > </snort>
> >
> > or:
> >
> > snort alert $HOME_NET ...etc
> >
> > The later would require each existing Snort rule to be prefixed, so
> > having some sort of "bracket" around sigs to classify them might be the
> > better option. Then you could something like this:
> >
> > <snort>
> > include emerging-web.rules
> > include emerging-dos.rules
> > </snort>
> >
> > <oisf>
> > ...
> > </oisf>
> >
> > Maybe even:
> > <bro>
> > ...
> > </bro>
> >
> >
> > The rule parser just needs to be able to identify what rule type it's
> > parsing into your internal trees. You just call different parsing
> > functions depending on rule type.
> >
> > Thoughts?
> >
> > -Frank
> >
> >
> > --
> > It is said that the Internet is a public utility. As such, it is best
> > compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> > against your ports.
> >
> >
> > _______________________________________________
> > Oisf-wg-ruleslanguage mailing list
> > Oisf-wg-ruleslanguage at openinfosecfoundation.org
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
> >
> >
> _______________________________________________
> Oisf-wg-ruleslanguage mailing list
> Oisf-wg-ruleslanguage at openinfosecfoundation.org
>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-wg-ruleslanguage/attachments/20090731/c2b0df8b/attachment-0002.html>
More information about the Oisf-wg-ruleslanguage
mailing list