[Snort-users] Diff'ing rulesets
wr6 at ...4412...
Tue Jan 8 04:22:02 EST 2002
On Tuesday 08 January 2002 10:45, Lars Jørgensen IT wrote:
> I am currently writing af script for automatic download of new rulefiles,
> unpacking and diffing against my current sets. Of course, diff catches my
> changes to the rulesets, which is okay, but I would like it not to catch
> rules I have commented out.
> I've been banging my head against diff's "-I" switch for some time now.
> According to docs I can find around the net, this should work:
> diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules
> But I get the output below, which is exacly what I don't want to see. Can
> anybody help me?
> < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
> > # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
Why don't you do
cat /etc/snort/rules | sed 's/# alert /alert/' > myrules
diff dns.rules myrules
More information about the Snort-users