From: Joel Esler (joel.eslersourcefire.com)
Date: Thu Sep 15 2005 - 19:00:13 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is a good idea, and I think the BASE team has that slated for the
work. It's a bit harder to pull a rule out of a text file than to
just link to a webpage, but it's certainly something they can look into.

BTW.. BASE's website is at http://www.sourceforge.net/projects/
secureideas

They have forums as well there.

Joel Esler
SOURCEfire
On Sep 15, 2005, at 7:18 PM, McCash, John wrote:

> Hi All,
> I'm sure there's a BASE development list somewhere, but I'm so
> far behind on _this_ list that I don't even want to go looking for it.
> As everyone's well aware, since sourcefire changed their licensing
> model, the output you get when clicking on the <snort> link in an
> alert
> displayed in BASE or ACID has gotten markedly less useful because you
> can no longer see the text of the rule. Consequently, it's gotten much
> more difficult (unless the specific rule you're looking up is one
> of the
> well documented ones) to determine whether what you're looking at is
> likely to be a false positive. This is especially true if, like
> myself,
> you're making heavy use of the bleedingsnort rules as well as
> sourcefire's.
>
> From the BASE config file, it looks like the <snort> tag is more
> or less just forwarded to the sourcefire URL with a sid number, and
> the
> resultant page is displayed. It strikes me (as a non PHP
> programmer, no
> flames please) that it should not be terribly difficult to have BASE
> instead display a web page with two frames, and put the sourcefire
> stuff
> in one, while simultaneously displaying the full text of the
> referenced
> rule (pulled from a locally maintained copy of all rules in use) in
> the
> other.
>
> The line in the base config that defines how the <snort>
> reference tag is processed could just forward to a specified BASE
> URL on
> the local server, and be processed as a separate page...
>
> Anybody else think this is a good idea?
>
> John
> ----------------------------------------------------------------------
> --------------------------
> This message is for the designated recipient only and may
> contain privileged, proprietary, or otherwise private information.
> If you have received it in error, please notify the sender
> immediately and delete the original. Any unauthorized use of
> this email is prohibited.
> ----------------------------------------------------------------------
> --------------------------
> [mf2]
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]