[Discussion] conditional signature loading

• Previous message (by thread): [Discussion] CATCH in DC
• Next message (by thread): [Discussion] rule language
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was wondering about the possible usefulness of an extension of the
signature language. Right now in Snort one can limit the signatures
loaded by the selection of which signature files are included in the
config, by have oinkmaster disable specific signatures and of course by
manually editting the sig files to comment out certain sigs.

The idea I'm thinking about is having a way to enable or disable blocks
of signatures using condition statements. For example (don't mind the
syntax for now):

#ifndef IGNORE_EDONKEY
<edonkey sigs>
#endif

The above would mean that unless the is a configuration directive
defined called 'IGNORE_EDONKEY', the edonkey sigs are loaded.

I can see use for this for e.g. bad performaning sigs, likely fp sigs,
ignoring certain protocols, applications, http server brands, etc.

It would be in addition to oinkmaster, not to replace it per se.

The idea would that creators of rulesets would predefine most of these
statements.

Thoughts anyone?

Cheers,
Victor
-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] CATCH in DC
• Next message (by thread): [Discussion] rule language
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]