Hosting Provided By

[Snort-devel] BNF Definitions

From: Roy S. Rapoport <snort-devel(at)ols.inorganic.org>
Date: Sun Jun 01 2003 - 21:17:43 EDT

Howdy ho,

I'm dealing with Sefan Dens' abstruse parsing code to parse Snort rules into and out of a database and would like to start from scratch.

Rather than reverse-engineer what rules look like based on his code, I obviously would rather go by what Snort says they should look like. Ideally, I'd like to use a formal definition of Snort configuration directives as a source so as to avoid faulty interpretation, rather than interpret the manual. For example, there are obviously elements of a rule config that actually go with a content definition (byte_test, byte_jump, within, etc), while others are non-content-specific and we should see only one (or in some cases exactly one) element of such type. For example, sid.

The best way I can think of to do this is to start with a formal BNF definition of Snort rules. You know, something like:

directive  ::= ||||
include    ::= include:
multispace ::= []

etc...

Is there something like this documented? Or should I reverse-engineer Snort source code?

-roy

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sun Jun 1 21:22:03 2003

This message: [ Message body ]
Next message: Chris Green: "Re: [Snort-devel] BNF Definitions"
Previous message: ofudd(at)speed-test.net: "[Snort-devel] Here's a spec file for snort 2.0.0"
Next in thread: Chris Green: "Re: [Snort-devel] BNF Definitions"
Reply: Chris Green: "Re: [Snort-devel] BNF Definitions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT