Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 23 Jan 2012 15:54:03 -0500
On 01/23/2012 11:36, Jason Brvenik wrote:
Now that the thread has had expression time I'd like to add my $.02 I don't believe ANYTHING should be in the rule that is not DIRECTLY detection related. All information that isn't detection related should be external to the rule and modifiable without risking changing the detection content. This means that IMHO msg: class: metadata: threshold: etc should all get externalized. The potential for human error and likelihood of edit collision should be minimized, not maximized.
'msg' is to provide the human-readable description of the rule. If that were to be externalized, then how would you link a rule to said external definition? We all know that SID + GID + Rev is the defacto unique identifier for a rule. Requiring someone to go and look that combination up in a separate file to match it to the message and other non-detection options just adds to the overhead needed to manage a ruleset. IMHO, it's not the *sole* job of software developers to implement mechanisms to protect users from their own mistakes. Some effort should be made so that users get it right most of the time, but at some point, you have to let them fend for themselves. They'll either figure it out or get eaten by a grue. Combine a text-based ruleset with a RCS like git, and you can solve a majority of human-error problems, especially if you have multiple eyes reviewing the ruleset (and the RCS history). Better documentation also helps, which is why I've been quite pedantic about the Snort manual in the past (like the patch to revise the 'pcre' example I sent in a while ago). -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: threshold -- is it really deprecated? Eoin Miller (Jan 20)
- Re: threshold -- is it really deprecated? Joshua Kinard (Jan 20)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 20)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)