[Snort-sigs] rule merging/updating tools?

Edwin Eefting edwin at ...149...
Fri Oct 26 05:23:02 EDT 2001


yep, I already found this tool, but the problem is that it is only for 
win2k. (wtf??)
Seems a littlebit unlogical to use a win2k tool when then only thing we 
have here is linux and bsd.
A bigger problem is that we want to have the rules updated fully 
automaticly by scripting. (every day or so)

This will all be too compilcated with a gui-tool that runs on another 
box on win2k, so I think it's time to fire up good ol' perl. :-)


Thanks anyway,
Edwin Eefting

Dell, Jeffrey wrote:

>If you are using Windows 2k on your workstation you can use IDS Policy
>Manager http://www.activeworx.com to do this. It has an intricate merge
>function that can merge rules from www.snort.org and www.whitehats.com. Here
>are some of the features of it's merge function:
>
>* Checks to see if the rule exists, if not it adds it
>* Checks to see if the rev has increased. If so it updates the rule
>* Checks to see if the variables exist. If not you can add or change it
>* Adds new groups that didn't exist before
>* Checks to see if a Signature ID > 1000000. If it exists it removes it and
>adds a new one that that is the Maximum SID of the policy + 1. If it doesn't
>exist it just adds a SID that is the Maximum SID + 1.
>* For the whitehat ruleset it removes the classification because it doesn't
>match
>* For the whitehat ruleset it cleans up the name
>* For the whitehat ruleset it merges the rules into the appropriate
><group>.rules file
>* Creates sig-msg.map file to use with barnyard
>* Just added the ability to merge rules from the web
>
>The only problem is that it is for win2k. It does scp/ftp files to any OS
>though. I use it primarily with *nix Snort sensors. 
>
>
>Jeff
>
>-----Original Message-----
>From: Edwin Eefting [mailto:edwin at ...149...]
>Sent: Friday, October 26, 2001 5:30 AM
>To: snort-sigs at lists.sourceforge.net; DEMARC-Users at ...162...
>Subject: [Snort-sigs] rule merging/updating tools?
>
>
>Is there a tool to update existing rules?
>
>Currently demarc just overwrites the rules, but I need something that 
>only updates the rules that are changed, AND doesn't change the 
>msg-text. (because i change those to define priority's with demarc.)
>
>If there isn't, i'm going to write something myself.
>
>thanks
>Edwin Eefting
>
>
>
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>






More information about the Snort-sigs mailing list