[Snort-users] One liner to generate map file from rules.

Phil Wood cpw at ...440...
Tue Aug 27 16:29:03 EDT 2002


On Tue, Aug 27, 2002 at 01:06:43PM +0000, Dragos Ruiu wrote:
> If in doubt...
> 

Looks like my kind of script!

>  cat *rules  | grep "msg:" | sed -e 's/^.*msg:\"//' | sed -e 's/\"\;.*sid:/%/' 
> | sed -e 's/\;.*$/ || /' |  awk -F'%' ' { print $2 $1 }' >sid-msg.map

Using 1.9 rules I had to do this (following the cat|grep|sed|awk approach):

===============================================================================
#!/bin/sh
# makemap
# usage:
#    % cat *.rules | makemap > /tmp/sid-msg.map
#
egrep "msg:.*sid:" | \
  sed -e 's/^.*(msg:[ "]*/msg:/' \
      -e 's/reference:[ ]*/reference:/g' \
      -e 's/"[ ]*;/;/' \
      -e 's/[ ]*)$/;end:/' \
    | tr ';' '\012' \
    | egrep "msg:|reference:|sid:|end:" \
    | awk -F: '/msg/ {msg = $2;i=0} /reference/ {ref[i++] = $2} /sid/ {sid=$2} /end/ { printf "%d || %s", sid, msg; if (i>0) while (i--) { printf " || %s", ref[i] } printf "\n"}'

===============================================================================

to get this:

% cat chat.rules | makemap
540 || CHAT MSN chat access
541 || CHAT ICQ access
542 || CHAT IRC nick change
1639 || CHAT IRC DCC file transfer request
1640 || CHAT IRC DCC chat request
1729 || CHAT IRC channel join
1463 || CHAT IRC message
1789 || CHAT IRC dns request
1790 || CHAT IRC dns response
307 || CHAT IRC EXPLOIT topic overflow || bugtraq,573 || cve,CVE-1999-0672
1382 || CHAT IRC EXPLOIT Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
1631 || CHAT AIM login
1631 || CHAT AIM send message
1632 || CHAT AIM send message
1633 || CHAT AIM recieve message

> 
> This will give you a map file from your rules.
> It's not pretty but it is short... :-) I know I could
> have used just one sed...but this works. :-)
> 
> Cheers,
> --dr
> 
> -- 
> dr at ...381...   pgp: http://dragos.com/kyxpgp
> Advance CanSecWest/03 registration available: http://cansecwest.com
> "The question of whether computers can think is like the question
>   of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list