[Emerging-Sigs] typo in sid 2008187
Joel Esler
joel.esler at sourcefire.com
Mon May 12 15:47:14 EDT 2008
I sure can do that, however, I am sure the developers would love to
hear an idea from the community. I submit ideas to devel all the
time :)
J
On May 12, 2008, at 3:23 PM, Jack Pepper wrote:
> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>
>> Mentioned to someone in IRC and they were putting in a bug request.
>>
>
> it's not really a bug, the whole "detect is overloaded" concept is
> just a part of snort. Joel, perhaps you can pass a suggestion on to
> someone at SF:
>
> It would make sense for each "detect" plug-in processor to expose a
> public "syntax validation" function that will be called by "-T" to
> validate each field. That way the validator and the parser are in
> sync. The validation being done inline in detect will always be too
> trivial. the code to do the validation probably already exists in
> each detection plug-in, it just needs to be called at load time,
> perhaps with a second argument that says wether this is a "lint-
> only" call.
>
> validation should not be in detect. it's architecturally
> deficient. Delegating parsing to individual detect processors (as
> it is done in preprocessors) will allow for a richer vocabulary and
> improved processing.
>
> Or maybe that's just my opinion.
>
> jp
>
>
> --
>
> Framework? I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
>
--
Joel Esler joel.esler at sourcefire.com
[m]
More information about the Emerging-sigs
mailing list