Rules Syntax Working Group

This group will explore:

  • What might a new rules language look like? What would make more sense in an engine that uses reputation and scoring more than absolutes?

For Snort Syntax Support:

  • How to handle the problems associated with adding directives to support new functionality and divergence/compatibility.
  • Which Snort syntax directives are used frequently enough to be implemented in the new engine for backwards compatibility

  • Should this new engine support obfuscating rules about undisclosed vulnerabilities
While this functionality is not ideal in an open source security community, it may be necessary to enable the use of data from sources that do not allow disclosure of rule content for certain periods of time.

  • What languages to support as external scripts that can feed information back to a rule (i.e. a function for a rule to call). Perl, Ruby, Python? All?

This group is lead by TBA

This group will report recommendations (whether at a concensus or not) on August 12th on this page and to the OISF Discussion mailing lists.

This group's mailing list for discussion is available here: http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage

-- MattJonkman - 28 Jul 2009

Topic revision: r1 - 2009-07-28 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats