[Snort-users] My ruleset differ/merg0r :-)
edwin at ...2758...
Tue Jan 8 05:05:03 EST 2002
It seems there still isn't a good rulemerging tool for snort rulefiles. I already
create a rulemerger for use with the mysql database of demarc, so I
decided to create a variant that can process rules from stdin.
Download it at http://iowa.bit.nl/scripts/merger1-1-0.tar.gz
The sourcecode is quite clean and readable, so it's easy to adjust to your needs.
The program can update a snort configuration file with new rules, and it
leaves the existing rules intact. Non-existing rules will also be added to
a special section. The msg:"" part of a rule stay intact at all times.
(even when it's updated) So the program should be pretty flexible.
Hopefully my contribution helps the snort-project a little bit. :)
On Tue, 8 Jan 2002 13:23:44 +0100 Wolfgang Rohdewald <wr6 at ...4412...> wrote:
> On Tuesday 08 January 2002 10:45, Lars Jørgensen IT wrote:
> > Hi!
> > I am currently writing af script for automatic download of new rulefiles,
> > unpacking and diffing against my current sets. Of course, diff catches my
> > changes to the rulesets, which is okay, but I would like it not to catch
> > rules I have commented out.
> > I've been banging my head against diff's "-I" switch for some time now.
> > According to docs I can find around the net, this should work:
> > diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules
> > But I get the output below, which is exacly what I don't want to see. Can
> > anybody help me?
> > 17,21c17,21
> > < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
> > ---
> > > # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
> Why don't you do
> cat /etc/snort/rules | sed 's/# alert /alert/' > myrules
> diff dns.rules myrules
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Edwin Eefting /- \ _/ Business Internet Trends BV
/--- \/ __________________
More information about the Snort-users