[Rman-devel] [Snort-devel] DDL for snort rules in a DB

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 19 Sep 2002 17:50, Kreimendahl, Chad J  wrote:

> It's been mentioned a few times very recently, and so our company would
> like to contribute a bit of data structure to the snort project.
>
> We've been using this structure (with other tables), to generate rules
> files for our different sensors.  The header part of it all is fairly
> unsophisticated, and the rules parts should be sufficient.  We'd love to
> offer our services to make snort load its config from a DB.
Chad,
I agree that a DB based config is a valuable addition to snort - and to tha=
t=20
end we have been working on a project to do just that - RuleMANager for Sno=
rt=20
The web-site is a little out of date (rman.souceforge.net) - it will be=20
updated later this week when I release 0.0.5a - but it allows for managemen=
t=20
of rules, rule groups, preprocessors and variables on multiple sensors with=
=20
an ACID style front end and stores all this in a MySQL backend  as a set of=
=20
extension tables for the snort db structure.  If you or your company would=
=20
like to contribute and improve this project in any way we (the three RMAN=20
developers) would love to have your contribution.

The db-structure within RMAN contains pretty much every thing you mentioned=
 in=20
your post - although I have yet to add the 'policy' layer.  We are also=20
working on handling flexible-response/SnortSAM config in an intelligent way=
 -=20
depending on time this should be available in the next month.

Should the snort developers choose to specify an official rule-set db backe=
nd=20
instead of the existing signature registration system (I would be more than=
=20
happy to modify RMAN to match) then a number of other problems will have to=
=20
be resolved - how to record pre-processor alerts which have no matching rul=
e,=20
rules which changed or get deleted - the alert packet would no longer have =
a=20
valid reference to a rule.  Whilst not insurmountable this will require=20
careful thought.

Regards
Mark

=2D --=20
Mark Vevers.    ma...@if... / ma...@ve...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
=2D --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xB08F3CA3
=46ingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9it3SWLU9HLCPPKMRAt/CAKCPRotPAmGyjlCOdU3JbU69HfIxBACfV5Gf
zikKjuYzZx2XWVyS2u9ieQ0=3D
=3DVwYD
=2D----END PGP SIGNATURE-----