On Wed, Jun 08, 2005 at 03:26:44PM -0500, Eric Hines wrote:
We're Bleeding-edge sponsors and I personally as an admin contribute to the
project as well. No need to remind me of the Bleeding-edge Mantra or
disclaimers.
...Says the guy that set up his paying customers to automatically download
a pile of rules from the bleeding-edge repository. Do we have to go
off and rename it "This-Will-Tear-Your-Sensor-A-New-SnortHole-sigs" ?
C'mon. Don't blame us for your design decisions.
The fact of the matter is, going off and creating a bunch of custom
variables outside of the standard variables declared in the default
snort.conf should be up to the individual user. Imagine what would happen if
every person out there who contributes a Bleeding-edge snort rule decided to
go off and make their own variables for all their sigs -- that would be
thousands of new variables people would need to add to their snort.conf -- I
mean come on.
You misspoke regarding your statement on buggy tools. Software isn't buggy
because it doesn't go in to a rules file for the user and add custom
variables that you conjure up.
# this is my crazy rule, watch out!
var STASH $HTTP_PORTS
var HTTP_PORTS [4323:5000]
alert tcp any any -> any $HTTP_PORTS (msg:"crazy rule"; sid: 111111111; ... )
var HTTP_PORTS 9999
alert tcp any any -> any $HTTP_PORTS (msg:"crazy rule"; sid: 111111111; ... )
var HTTP_PORTS $STASH
# okay, the craziness is done.
..is perfectly valid snort configuration syntax. the ONLY difference
between snort.conf and $mumble.rules is *CONVENTION*. You ignore this
at your peril.
Allowing variables near rules is desirable.
Boy, are your customers going to be pissed off when I leak a rule that
comes with its own ruletype specifier and have a compelling enough
reason that everyone agrees to publish it.
--
Erik Fichtner; Unix Ronin
"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
pgpYnV9KUNZtk.pgp
Description: PGP signature
