Re: [Snort-users] threshold -- is it really deprecated?

[Joshua Kinard <kumba () gentoo org>]

On 01/23/2012 16:55, Martin Roesch wrote:

> Personally I'd prefer to see the rule structure revisited.  The current
> melange of selectors, detection and metadata information in a rule that
> depends on the author for structure is pretty suboptimal (and entirely my
> fault, lack of foresight you know).
>
> Something like
>
> rule {
>     metadata { msg, sid/rev, ... }
>     selector { flowbits, protocol, ip range, ... }
>     detect { content, regex, ... }
>     action { alert, log, block, set flowbit, ... }
> }
>
> would be great.  If we did that and built in a nice macro system then it'd
> be easy to setup easily tweaked external configuration options for outcomes
> or notifications or whatever.  The pain in the butt is that we've got 13
> years of rules built on the old system.  Maybe a new keyword to
> differentiate the new layout to the rule parser?  Hm... ngrule anyone?  :)
>
> My $0.02 as the person who originally built it (suboptimally). :)


One can actually draw parallels between a Snort rule and a Gentoo ebuild,
loosely.  Whereas a rule instructs Snort how to look for an offending
pattern in network traffic and what to do when it finds it, an ebuild
instructs Gentoo's package manager on how to unpack/patch, configure,
compile, and install a given package.  The best way to capture this method
was to use block-function syntax (basically bash syntax, with some
modifications).

We also use a system called EAPI to introduce new functionality without
stomping over existing functionality.  An ebuild has to declare what EAPI it
supports, and the package manager uses that information to know what
functionality to make available.  No deprecation of old EAPIs yet
(hoverboards will probably be old school by the time we get around to that).
 But the capability is at least there.

That said, I think every open-source project starts as something small and
then "evolves" -- sometimes in strange and unpredictable ways, and going
back to change some unplanned aspect without causing issues with existing
stuff is quite tricky and needs much discussion.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!