Sounds like some interesting regex. I’d love to see it. I’ll shoot you an email soon.

I recently did very similar to this in a bit of a hurry and ended up using 5 lazy complete-line regexes to account for the different session type log formats (icmp, unxlated icmp, self-self, deny and normal). It now inserts in to a database and aggregates down daily, weekly, monthly … there are probably a few more to add, but it’s done a few hundred million records with no error so far.

I use it for traffic profiling and incident response, not rule analysis, but now I’m intrigued to use the data for rule optimisation. I already use the catch-all allow initially like you mentioned to find and account for stray sessions.

Email if you want to compare any notes/regexes *snort*