[Snort-users] Diff'ing rulesets

Lars Jørgensen IT Lars.Jorgensen at ...4490...
Tue Jan 8 01:46:06 EST 2002


Hi!

I am currently writing af script for automatic download of new rulefiles,
unpacking and diffing against my current sets. Of course, diff catches my
changes to the rulesets, which is okay, but I would like it not to catch
rules I have commented out.

I've been banging my head against diff's "-I" switch for some time now.
According to docs I can find around the net, this should work:

diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules 

But I get the output below, which is exacly what I don't want to see. Can
anybody help me?

17,21c17,21
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";
classtype:attempted-admin; sid:262; rev:1;)
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";
classtype:attempted-admin; sid:264; rev:1;)
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux
ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";
classtype:attempted-admin; sid:265; rev:1;)
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";
classtype:attempted-admin; sid:266; rev:1;)
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
sparc";flags: A+; content:"|90 1a c0 0f  90 02 20 08 92 02 20 0f d0 23 bf
f8|"; classtype:attempted-admin; sid:267; rev:1;)
---
> # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";
classtype:attempted-admin; sid:262; rev:1;)
> # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";
classtype:attempted-admin; sid:264; rev:1;)
> # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux
ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";
classtype:attempted-admin; sid:265; rev:1;)
> # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";
classtype:attempted-admin; sid:266; rev:1;)
> # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
sparc";flags: A+; content:"|90 1a c0 0f  90 02 20 08 92 02 20 0f d0 23 bf
f8|"; classtype:attempted-admin; sid:267; rev:1;)

I have tried "^#", "#", "..alert" and every other permutation I could think
of. There's something fundamental I'm not understanding.


-- 
Lars Jorgensen
Network Administrator
A/S Dagbladet Politiken
tel. +45 3347 2965 




More information about the Snort-users mailing list