[Rman-devel] [Snort-devel] DDL for snort rules in a DB
Status: Alpha
Brought to you by:
mvevers
Menu
▾
▴
[Rman-devel] [Snort-devel] DDL for snort rules in a DB
|
From: Mark V. <ma...@ve...> - 2002-09-20 08:41:32
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 19 Sep 2002 17:50, Kreimendahl, Chad J wrote: > It's been mentioned a few times very recently, and so our company would > like to contribute a bit of data structure to the snort project. > > We've been using this structure (with other tables), to generate rules > files for our different sensors. The header part of it all is fairly > unsophisticated, and the rules parts should be sufficient. We'd love to > offer our services to make snort load its config from a DB. Chad, I agree that a DB based config is a valuable addition to snort - and to tha= t=20 end we have been working on a project to do just that - RuleMANager for Sno= rt=20 The web-site is a little out of date (rman.souceforge.net) - it will be=20 updated later this week when I release 0.0.5a - but it allows for managemen= t=20 of rules, rule groups, preprocessors and variables on multiple sensors with= =20 an ACID style front end and stores all this in a MySQL backend as a set of= =20 extension tables for the snort db structure. If you or your company would= =20 like to contribute and improve this project in any way we (the three RMAN=20 developers) would love to have your contribution. The db-structure within RMAN contains pretty much every thing you mentioned= in=20 your post - although I have yet to add the 'policy' layer. We are also=20 working on handling flexible-response/SnortSAM config in an intelligent way= -=20 depending on time this should be available in the next month. Should the snort developers choose to specify an official rule-set db backe= nd=20 instead of the existing signature registration system (I would be more than= =20 happy to modify RMAN to match) then a number of other problems will have to= =20 be resolved - how to record pre-processor alerts which have no matching rul= e,=20 rules which changed or get deleted - the alert packet would no longer have = a=20 valid reference to a rule. Whilst not insurmountable this will require=20 careful thought. Regards Mark =2D --=20 Mark Vevers. ma...@if... / ma...@ve... Principal Internet Engineer, Internet for Learning, Research Machines Plc. (AS5503) =2D -- GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xB08F3CA3 =46ingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3 =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9it3SWLU9HLCPPKMRAt/CAKCPRotPAmGyjlCOdU3JbU69HfIxBACfV5Gf zikKjuYzZx2XWVyS2u9ieQ0=3D =3DVwYD =2D----END PGP SIGNATURE----- |
