Snort mailing list archives
Re: DB Rules
From: Chris Green <cmg () uab edu>
Date: 17 Aug 2001 21:12:38 -0500
Charles Henrich <henrich () sigbus com> writes:
It would be really cool if snort could read its rulesets from the database source. That way remote sensors who are talking directly to the central DB server could get immediate rule updates, and make administration of a snort network much easier.. (IMHO). Whacha think?
I've done a small bit of work on that. Desiging the schema isn't too
bad and writing a parser for the snort rules language isn't too bad (
doable in a weekend ) but keeping up with Marty and new
options/features can be bad :)
I will admit I have a bit of difficulty writing a lex/yacc type
grammar for the rule set b/c it's got a lot of separte rules for
tokenization and I'm no compiler whiz.
At snort 2.0, the a goal is to have a modular rules engine so everyone
can write whatever type of rule engine they would like.
--
Chris Green <cmg () uab edu>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Jason Robertson (Aug 19)
- Re: DB Rules Erek Adams (Aug 19)
- Re: DB Rules Jason Robertson (Aug 20)
- Re: DB Rules Charles Henrich (Aug 17)
- Re: DB Rules Erek Adams (Aug 17)
- Re: DB Rules Chris Green (Aug 17)
- Re: DB Rules Mike Baptiste (Aug 18)
- <Possible follow-ups>
- RE: DB Rules Tom Sevy (Aug 18)
- Re: DB Rules Chris Green (Aug 18)