[Snort-sigs] ignore specific sid's ?

Dragos Ruiu dr at ...100...
Thu Aug 15 15:42:03 EDT 2002


grep -v "sid:4711" | grep -v "sid:10?1"

etc...

cheers,
--dr

P.S.  The following is the fancy one liner that deals with \
sed -e :a -e '/\\$/N; s/\\\n//; ta'


On August 14, 2002 04:16 pm, Bennett Todd wrote:
> 2002-08-13-17:33:31 Ian Macdonald:
> > also look at oinkmaster
>
> Or, if you want something slightly simpler, for the trivial case of
> ignoring just one sid, or just a handful of sids, you could whap the
> rules with a wee smigeon of perl after you download 'em, before you
> deploy 'em:
>
> 	perl -pi -e 's/^/#/ if /sid:4711;/' *
>
> That's awfully simple. It doesn't get too much worse if you have a
> handful of sids to ignore:
>
> 	perl -pi -e 's/^/#/ if /sid:(?:4711|4853|6745);/' *
>
> If you have more than that, up to some fairly large number it can
> remain supportable if you have e.g. /etc/snort/badsids, a file with
> one sid number per line, and your perl becomes something like
>
>     #!/usr/bin/perl -pi
>     my $pat;
>     BEGIN {
> 	open FP, "</etc/snort/badsids";
> 	my @badsids = <FP>;
> 	close FP;
> 	chomp @badsids;
> 	$pat = 'sid:(?:' . join('|', @badsids) . ');';
> 	$pat = qr/$pat/;
>     }
>     s/^/#/ if /$pat/;
>
> or thereabouts (untested).
>
> Get any more hair on your problem spec and you've probably grown to
> justify the complexity of oinkmaster.
>
> -Bennett





More information about the Snort-sigs mailing list