Snort mailing list archives
Re: rules management tools
From: Martin Holste <mcholste () gmail com>
Date: Fri, 1 Apr 2011 13:35:28 -0500
MVC web GUI I think is a given. What are the core features that the community needs? My rough draft: - All of the features PulledPork gives us (auto flowbit inclusion, disable/enable, replace, etc.) - Per-sensor configuration variable management (if not already implied by the above) - Search by msg, content, etc. - Interface to tag rules - Snort-parsable output so that sensors grab their rules from the central web GUI like http://rules/compile_rules?sensor_id=1 - Resolve and download all references to a local cache so when you search, you also search the content of the references (so when I want to find a rule that hunts Conficker, I find it even if it's not in the rule name) Those should all be trivial to implement. Here are some tougher ones: - Rule similarity detector (maybe some sort of Levenshtein distance calculation with other content matches) - Load calculator given a static "test" pcap derived from local traffic at a point in time - Offline alerter (similar to above, but instead of load calculation on a constant pcap, takes a pcap upload, runs it against arbitrary rules, returns alerts generated) On Thu, Mar 31, 2011 at 11:32 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:
On Thu, 31 Mar 2011 13:05:23 -0300, CleBeer wrote:I thinking in some thing like base with a web ui, this way we don't create a dependence of desktop OSes. Other idea is port the ruleset to a database and make some script that create de ruleset files reading the database. what you guys think about it?This aligns somewhat with our new rule management system that is currently in development. That is, we manage the rules in a database and produce the individual rule files from queries to the database. We are incorporating many other things to go along with the system (everything that revolves around rule creation, testing, sid assignment, revision increments, rule deletions, modifications, cross-referencing, other internal processes etc...) which unfortunately makes our schema rather large and considerably more complex than a tool like you are suggesting would require. Having said that, for simple rule maintenance tasks a database schema should be relatively simple to create. Using a database would certainly make the creation of a GUI easier to accomplish, and for cross-platform purposes the web UI would more than likely be the best choice. (I would write it in Perl, but Python would be good too) It would also require the creation of a tool to import the data into the database after using something like Pulled Pork to download. The best thing to do would be to create a patch for Pulled Pork to do this work once the schema is written, that way there is one tool to download the rules and put them into the storage area for management purposes. I'm sure JJ would welcome the addition of this feature to Pulled Pork. The functionality to edit Pulled Pork configuration within the rule management tool would also prove useful to many as well. :D -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: rules management tools Martin Holste (Apr 01)