[Snort-sigs] ignore specific sid's ?

Bennett Todd bet at ...654...
Wed Aug 14 09:29:03 EDT 2002


2002-08-13-17:33:31 Ian Macdonald:
> also look at oinkmaster

Or, if you want something slightly simpler, for the trivial case of
ignoring just one sid, or just a handful of sids, you could whap the
rules with a wee smigeon of perl after you download 'em, before you
deploy 'em:

	perl -pi -e 's/^/#/ if /sid:4711;/' *

That's awfully simple. It doesn't get too much worse if you have a
handful of sids to ignore:

	perl -pi -e 's/^/#/ if /sid:(?:4711|4853|6745);/' *

If you have more than that, up to some fairly large number it can
remain supportable if you have e.g. /etc/snort/badsids, a file with
one sid number per line, and your perl becomes something like

    #!/usr/bin/perl -pi
    my $pat;
    BEGIN {
	open FP, "</etc/snort/badsids";
	my @badsids = <FP>;
	close FP;
	chomp @badsids;
	$pat = 'sid:(?:' . join('|', @badsids) . ');';
	$pat = qr/$pat/;
    }
    s/^/#/ if /$pat/;

or thereabouts (untested).

Get any more hair on your problem spec and you've probably grown to
justify the complexity of oinkmaster.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020814/2448feeb/attachment.sig>


More information about the Snort-sigs mailing list