[Snort-sigs] rule merging/updating tools?

Dell, Jeffrey JDell at ...155...
Fri Oct 26 04:27:17 EDT 2001

If you are using Windows 2k on your workstation you can use IDS Policy
Manager http://www.activeworx.com to do this. It has an intricate merge
function that can merge rules from www.snort.org and www.whitehats.com. Here
are some of the features of it's merge function:

* Checks to see if the rule exists, if not it adds it
* Checks to see if the rev has increased. If so it updates the rule
* Checks to see if the variables exist. If not you can add or change it
* Adds new groups that didn't exist before
* Checks to see if a Signature ID > 1000000. If it exists it removes it and
adds a new one that that is the Maximum SID of the policy + 1. If it doesn't
exist it just adds a SID that is the Maximum SID + 1.
* For the whitehat ruleset it removes the classification because it doesn't
* For the whitehat ruleset it cleans up the name
* For the whitehat ruleset it merges the rules into the appropriate
<group>.rules file
* Creates sig-msg.map file to use with barnyard
* Just added the ability to merge rules from the web

The only problem is that it is for win2k. It does scp/ftp files to any OS
though. I use it primarily with *nix Snort sensors. 


-----Original Message-----
From: Edwin Eefting [mailto:edwin at ...149...]
Sent: Friday, October 26, 2001 5:30 AM
To: snort-sigs at lists.sourceforge.net; DEMARC-Users at ...162...
Subject: [Snort-sigs] rule merging/updating tools?

Is there a tool to update existing rules?

Currently demarc just overwrites the rules, but I need something that 
only updates the rules that are changed, AND doesn't change the 
msg-text. (because i change those to define priority's with demarc.)

If there isn't, i'm going to write something myself.

Edwin Eefting

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list