Re: [Snort-users] threshold -- is it really deprecated?

[Joshua Kinard <kumba () gentoo org>]

On 01/23/2012 16:20, Jason Brvenik wrote:

> Does it? The way I see it it makes management of the rules set a lot
> easier and lowers the bar of entry. Instead of this arcane file all
> jumbled up and parsed through by perl to parse rules to get some
> semblance if a configuration all I have to edit is a "state" file with
> the gid:sid:rev and state


I should probably highlight that not everyone uses scripts to manage rules.
 As insane as it sounds, I actually find that using a plain text editor with
decent long-line support (metapad, notepad++, $EDITOR) works pretty well.  I
just make sure to align 'msg' and 'sid' as the first two options in the rule
so that on a widescreen monitor, I can easily spot check what rules are what.

This is also why I referenced git as a good RCS for managing it, because
it's quick, simple, and provides a lot of tricks to visualize changes (such
as per-keyword highlighting, and you can supply your own pcre pattern to
match keywords for the really tricky ones).


> If I want to turn on 1:234:5 and have it block I just modify rule.state to have
>
> "1:234:5 block, alert" #block and notify through an alert
>
> instead of my monolithic and arcane pulled pork configuration
>
> If I want the message for the event to be a bit more relevant to my
> helpdesk I also modify the msg in rule.msg
>
> "1:234:* VIRUS DETECTION - SOME NORMAL MESSAGE"
>
> If I want to take the disable a rule where the default is on I just
> make my rule.state have
> "1:234:* disabled, notify" #override


Arguably, this kind of functionality is probably better suited in some kind
of rules manager app that feeds off of a flat text file(s) of rules (and
other configurations).  Its job would be to parse up the configuration and
present it to a user in a format like you describe, probably with some kind
of GUI or command shell to allow quick modification of rule options and rule
states.

Snort rules are basically a kind of complex string...which makes them tough
to parse effectively.  Marty's more block-oriented design would make parsing
10x easier for community scripts/programs, but it'd fluff up a large rules
file by several orders of magnitude.  Probably a minor trade-off in the end,
to be honest.  Implementing that change would not be easy by any stretch,
however.


> Ease of use drives adoption and I think that we can agree that we all
> want more security driven into networks to help with the larger goal
> of peace and tranquility. It should be the goal of every effort
> (limited by reality of course) that the tools we produce are as easy
> to use as possible without diluting the purpose of them.


Agreed.  I actually started on a partial rules parser/editor in .NET for
kicks and giggles (which is why I was hunting down undocumented elements of
several options a while back).  Downside of .NET is it isn't very portable
to Linux/BSD...I was hoping on Mono to take care of that, but with Novell's
recent dismemberment, I am gonna have to find a new language if I ever get
back to that project.  Maybe Python, maybe Ruby, maybe TCL, or some other
esoteric language.

Original end goal was a GUI-based program to parse just Snort rules, allow
some quick editing, then spit them back out into a text file.  Kinda like a
notepad-for-Snort.  I've obviously had to re-think that quite a bit, though.


> > Combine a text-based ruleset with a RCS like git, and you can solve a
> > majority of human-error problems, especially if you have multiple eyes
> > reviewing the ruleset (and the RCS history).
>
> Solving one problem by creating another tool chain dependency, isn't
> that a clear indication of a problem with rules as they stand?


I personally wouldn't call it a toolchain dependency, but even so, it's two
tools that are widely available and in widespread use across the open-source
world.  And using a text editor is about as bare-bones as you can get with
rule management anyways.


Cheers,

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!