[Emerging-Sigs] typo in sid 2008187
Jack Pepper
pepperjack at afferentsecurity.com
Mon May 12 15:23:40 EDT 2008
Quoting Matt Jonkman <jonkman at jonkmans.com>:
> Mentioned to someone in IRC and they were putting in a bug request.
>
it's not really a bug, the whole "detect is overloaded" concept is
just a part of snort. Joel, perhaps you can pass a suggestion on to
someone at SF:
It would make sense for each "detect" plug-in processor to expose a
public "syntax validation" function that will be called by "-T" to
validate each field. That way the validator and the parser are in
sync. The validation being done inline in detect will always be too
trivial. the code to do the validation probably already exists in
each detection plug-in, it just needs to be called at load time,
perhaps with a second argument that says wether this is a "lint-only"
call.
validation should not be in detect. it's architecturally deficient.
Delegating parsing to individual detect processors (as it is done in
preprocessors) will allow for a richer vocabulary and improved
processing.
Or maybe that's just my opinion.
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list