[Discussion] [In the Weeds] Defining By Negation (Well, Actually, By Default)

Martin Fong martin.fong at sri.com
Thu Mar 12 20:29:21 UTC 2009


The current Snort variable syntax permits the Bourne shell-like syntax

     $(var:-default)

but unlike Bourne shell, Snort does not permit "default" to be
_empty_.  This makes fine for requisite variables bound to rule action
parameters, but this constraint is unnecessarily restrictive for
preprocessors that employ their own parsers (-- in my case, I want
users to optionally specify whitelisted IP addresses, CIDRs, port, and
port ranges; thus, as part of the BotHunter Snort patches, I patched
parser.c to meet my needs).  My frustration is that the Snort
implementation diverged from the underlying Bourne shell variable
model, and that its documentation only documented the syntax, but not
the semantics, of its rule grammar.  Or, at a higher level, (1) when
we decide to adopt a design paradigm, let's not bait-and-switch, and
(2) let's create much more comprehensive and useful documentation.

      Cheers!

      ...Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090312/f44188a7/attachment.bin>


More information about the Discussion mailing list