Snort mailing list archives
Re: LightSPD manifest.json question for builtin path
From: "J. Hellenthal via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 5 Jul 2021 21:51:17 -0500
Thanks for this ! -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jul 5, 2021, at 17:11, Noah Dietrich <noah_dietrich () 86penny org> wrote: Additionally: the text rules are the same way, in the rules\3.0.0.0 folder. This seems different from the builtins\3.0.1-3\ folder structure (four decimals vs three decimals and a hyphen) If Snort/Talos can standardize this and let me know what the plan is, it'll make it easier to develop PP3. right now, i've hard-coded those file paths into PP3, which works for now, but isn't very adaptive. Thanks noahOn Sat, Jul 3, 2021 at 4:25 PM Noah Dietrich <noah_dietrich () 86penny org> wrote: I'm working on getting LightSPD functionality added to PulledPork3, and I have a question about the way builtin rules are stored in the LightSPD folder For the current LightSPD file ("lightspd build number" : "2021-06-30-003"), the format for the builtin folder is: .\lightspd\builtins\3.0.1-3\ - builtins.rules - *.states files There is only the one '3.0.1-3' folder contained in the 'builtins' folder. The manifest.json file lists Snort3 versions from 3.0.3-1 to 3.1.1.0-20, but only contains references for the policies folder and .so files. Can you let me know what the format/plan is for this folder? I think it would be best if you need to have different versions of your builtin.rules file to reference unique folders in the manifest.json file, like you're doing with the policies and .so folders. For example: "3.1.1.0-0" : { "policies_path" : "policies/3.0.3-4/", "builtins_path" : "builtins/3.0.1-3/", "architectures" : { ... } However, if you're only going to have one builtin.rules file for all versions of Snort that are supported, then it'd make more sense to just rename the folder to .\lightspd\builtins\, and have that folder contain the builtins.rules and *.states files. You'd then reference this path from the root of your manifest.json file: { "builtins_path" : "builtins/", "lightspd build number" : "2021-06-30-003", "snort versions" : { "3.1.0.1-149" : {...} } } From a PulledPork perspective, it'd be nice to have a single mechanism for me to determine the various paths (getting the path for each type of object out of the json file, rather than looking at the folder names for some items, and getting json entries for others). thanks, Noah_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- LightSPD manifest.json question for builtin path Noah Dietrich (Jul 03)
- Re: LightSPD manifest.json question for builtin path Noah Dietrich (Jul 05)
- Re: LightSPD manifest.json question for builtin path J. Hellenthal via Snort-devel (Jul 05)
- Re: LightSPD manifest.json question for builtin path Noah Dietrich (Jul 05)