Re: [Snort-users] threshold -- is it really deprecated?

[Joshua Kinard <kumba () gentoo org>]

On 01/23/2012 11:36, Jason Brvenik wrote:

> Now that the thread has had expression time I'd like to add my $.02
>
> I don't believe ANYTHING should be in the rule that is not DIRECTLY
> detection related. All information that isn't detection related should
> be external to the rule and modifiable without risking changing the
> detection content.
>
> This means that IMHO msg: class: metadata: threshold: etc should all
> get externalized. The potential for human error and likelihood of edit
> collision should be minimized, not maximized.


'msg' is to provide the human-readable description of the rule.  If that
were to be externalized, then how would you link a rule to said external
definition?  We all know that SID + GID + Rev is the defacto unique
identifier for a rule.  Requiring someone to go and look that combination up
in a separate file to match it to the message and other non-detection
options just adds to the overhead needed to manage a ruleset.

IMHO, it's not the *sole* job of software developers to implement mechanisms
to protect users from their own mistakes.  Some effort should be made so
that users get it right most of the time, but at some point, you have to let
them fend for themselves.  They'll either figure it out or get eaten by a grue.

Combine a text-based ruleset with a RCS like git, and you can solve a
majority of human-error problems, especially if you have multiple eyes
reviewing the ruleset (and the RCS history).  Better documentation also
helps, which is why I've been quite pedantic about the Snort manual in the
past (like the patch to revise the 'pcre' example I sent in a while ago).

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!