Re: upgraded some tools (snortplot)

[Brian <bmc () snort org>]

According to Martin Roesch:
> Brian wrote:
> Sid 485: no classtype assigned, msg field has parenthetical statement
> within
> Sid 499: classtype assigned
> Sid 480: no classtype assigned

Yes yes, I screwed up.  Sorry.

> > > I do not mean to belittle anybody's work here, I am just saying that maybe
> > > we need a rule creation metaengine, probably based on M4 or some macro
> > > language which will generate the rules.
> >
> > No, its not the problem of the rules.  its something else.
>
> Um, everything is working the way it was written to, there are no
> problems here except for apparent inconsistency because of the way the
> rules were written.  Maybe I should add the "[**]" back to the msg field
> for syslog output so there's no confusion.  

Nope, I should just make my rules parser that I validate rules with
stricter before I commit them. 

> I don't think that running things thru M4 would have helped in this case
> particularly, it's perfectly valid to leave out pieces of the rules,
> there are only a few things that are *required* to write a valid Snort
> rule, which makes life easier for everyone in general.

I agree.  The snort ruleset is the most readable signature set I have
seen yet.  m4 is nowhere near as readable to normal people.

-brian

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users