Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 23 Jan 2012 23:25:17 -0500
On 01/23/2012 16:20, Jason Brvenik wrote:
Does it? The way I see it it makes management of the rules set a lot easier and lowers the bar of entry. Instead of this arcane file all jumbled up and parsed through by perl to parse rules to get some semblance if a configuration all I have to edit is a "state" file with the gid:sid:rev and state
I should probably highlight that not everyone uses scripts to manage rules. As insane as it sounds, I actually find that using a plain text editor with decent long-line support (metapad, notepad++, $EDITOR) works pretty well. I just make sure to align 'msg' and 'sid' as the first two options in the rule so that on a widescreen monitor, I can easily spot check what rules are what. This is also why I referenced git as a good RCS for managing it, because it's quick, simple, and provides a lot of tricks to visualize changes (such as per-keyword highlighting, and you can supply your own pcre pattern to match keywords for the really tricky ones).
If I want to turn on 1:234:5 and have it block I just modify rule.state to have "1:234:5 block, alert" #block and notify through an alert instead of my monolithic and arcane pulled pork configuration If I want the message for the event to be a bit more relevant to my helpdesk I also modify the msg in rule.msg "1:234:* VIRUS DETECTION - SOME NORMAL MESSAGE" If I want to take the disable a rule where the default is on I just make my rule.state have "1:234:* disabled, notify" #override
Arguably, this kind of functionality is probably better suited in some kind of rules manager app that feeds off of a flat text file(s) of rules (and other configurations). Its job would be to parse up the configuration and present it to a user in a format like you describe, probably with some kind of GUI or command shell to allow quick modification of rule options and rule states. Snort rules are basically a kind of complex string...which makes them tough to parse effectively. Marty's more block-oriented design would make parsing 10x easier for community scripts/programs, but it'd fluff up a large rules file by several orders of magnitude. Probably a minor trade-off in the end, to be honest. Implementing that change would not be easy by any stretch, however.
Ease of use drives adoption and I think that we can agree that we all want more security driven into networks to help with the larger goal of peace and tranquility. It should be the goal of every effort (limited by reality of course) that the tools we produce are as easy to use as possible without diluting the purpose of them.
Agreed. I actually started on a partial rules parser/editor in .NET for kicks and giggles (which is why I was hunting down undocumented elements of several options a while back). Downside of .NET is it isn't very portable to Linux/BSD...I was hoping on Mono to take care of that, but with Novell's recent dismemberment, I am gonna have to find a new language if I ever get back to that project. Maybe Python, maybe Ruby, maybe TCL, or some other esoteric language. Original end goal was a GUI-based program to parse just Snort rules, allow some quick editing, then spit them back out into a text file. Kinda like a notepad-for-Snort. I've obviously had to re-think that quite a bit, though.
Combine a text-based ruleset with a RCS like git, and you can solve a majority of human-error problems, especially if you have multiple eyes reviewing the ruleset (and the RCS history).Solving one problem by creating another tool chain dependency, isn't that a clear indication of a problem with rules as they stand?
I personally wouldn't call it a toolchain dependency, but even so, it's two tools that are widely available and in widespread use across the open-source world. And using a text editor is about as bare-bones as you can get with rule management anyways. Cheers, -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Snort-users] threshold -- is it really deprecated?, (continued)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Feb 05)
- Re: [Snort-users] threshold -- is it really deprecated? Rich Graves (Jan 25)