[Snort-sigs] rule merging/updating tools?
edwin at ...149...
Fri Oct 26 05:23:02 EDT 2001
yep, I already found this tool, but the problem is that it is only for
Seems a littlebit unlogical to use a win2k tool when then only thing we
have here is linux and bsd.
A bigger problem is that we want to have the rules updated fully
automaticly by scripting. (every day or so)
This will all be too compilcated with a gui-tool that runs on another
box on win2k, so I think it's time to fire up good ol' perl. :-)
Dell, Jeffrey wrote:
>If you are using Windows 2k on your workstation you can use IDS Policy
>Manager http://www.activeworx.com to do this. It has an intricate merge
>function that can merge rules from www.snort.org and www.whitehats.com. Here
>are some of the features of it's merge function:
>* Checks to see if the rule exists, if not it adds it
>* Checks to see if the rev has increased. If so it updates the rule
>* Checks to see if the variables exist. If not you can add or change it
>* Adds new groups that didn't exist before
>* Checks to see if a Signature ID > 1000000. If it exists it removes it and
>adds a new one that that is the Maximum SID of the policy + 1. If it doesn't
>exist it just adds a SID that is the Maximum SID + 1.
>* For the whitehat ruleset it removes the classification because it doesn't
>* For the whitehat ruleset it cleans up the name
>* For the whitehat ruleset it merges the rules into the appropriate
>* Creates sig-msg.map file to use with barnyard
>* Just added the ability to merge rules from the web
>The only problem is that it is for win2k. It does scp/ftp files to any OS
>though. I use it primarily with *nix Snort sensors.
>From: Edwin Eefting [mailto:edwin at ...149...]
>Sent: Friday, October 26, 2001 5:30 AM
>To: snort-sigs at lists.sourceforge.net; DEMARC-Users at ...162...
>Subject: [Snort-sigs] rule merging/updating tools?
>Is there a tool to update existing rules?
>Currently demarc just overwrites the rules, but I need something that
>only updates the rules that are changed, AND doesn't change the
>msg-text. (because i change those to define priority's with demarc.)
>If there isn't, i'm going to write something myself.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs