Rules Syntax Working Group
This group will explore:
- What might a new rules language look like? What would make more sense in an engine that uses reputation and scoring more than absolutes?
For Snort Syntax Support:
- How to handle the problems associated with adding directives to support new functionality and divergence/compatibility.
- Which Snort syntax directives are used frequently enough to be implemented in the new engine for backwards compatibility
- Should this new engine support obfuscating rules about undisclosed vulnerabilities
While this functionality is not ideal in an open source security community, it may be necessary to enable the use of data from sources that do not allow disclosure of rule content for certain periods of time.
- What languages to support as external scripts that can feed information back to a rule (i.e. a function for a rule to call). Perl, Ruby, Python? All?
This group is lead by TBA
This group will report recommendations (whether at a concensus or not) on August 12th on this page and to the OISF Discussion mailing lists.
This group's mailing list for discussion is available here:
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-ruleslanguage
--
MattJonkman - 28 Jul 2009