Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: Joshua Kinard <kumba () gentoo org>
Date: Tue, 24 Jan 2012 00:51:32 -0500
On 01/23/2012 16:55, Martin Roesch wrote:
Personally I'd prefer to see the rule structure revisited. The current melange of selectors, detection and metadata information in a rule that depends on the author for structure is pretty suboptimal (and entirely my fault, lack of foresight you know). Something like rule { metadata { msg, sid/rev, ... } selector { flowbits, protocol, ip range, ... } detect { content, regex, ... } action { alert, log, block, set flowbit, ... } } would be great. If we did that and built in a nice macro system then it'd be easy to setup easily tweaked external configuration options for outcomes or notifications or whatever. The pain in the butt is that we've got 13 years of rules built on the old system. Maybe a new keyword to differentiate the new layout to the rule parser? Hm... ngrule anyone? :) My $0.02 as the person who originally built it (suboptimally). :)
One can actually draw parallels between a Snort rule and a Gentoo ebuild, loosely. Whereas a rule instructs Snort how to look for an offending pattern in network traffic and what to do when it finds it, an ebuild instructs Gentoo's package manager on how to unpack/patch, configure, compile, and install a given package. The best way to capture this method was to use block-function syntax (basically bash syntax, with some modifications). We also use a system called EAPI to introduce new functionality without stomping over existing functionality. An ebuild has to declare what EAPI it supports, and the package manager uses that information to know what functionality to make available. No deprecation of old EAPIs yet (hoverboards will probably be old school by the time we get around to that). But the capability is at least there. That said, I think every open-source project starts as something small and then "evolves" -- sometimes in strange and unpredictable ways, and going back to change some unplanned aspect without causing issues with existing stuff is quite tricky and needs much discussion. -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Snort-users] threshold -- is it really deprecated?, (continued)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Feb 05)
- Re: [Snort-users] threshold -- is it really deprecated? Rich Graves (Jan 25)