[Snort-users] My ruleset differ/merg0r :-)

Edwin Eefting edwin at ...2758...
Tue Jan 8 05:05:03 EST 2002


Hello there,

It seems there still isn't a good rulemerging tool for snort rulefiles. I already
create a rulemerger for use with the mysql database of demarc, so I
decided to create a variant that can process rules from stdin. 

Download it at http://iowa.bit.nl/scripts/merger1-1-0.tar.gz

The sourcecode is quite clean and readable, so it's easy to adjust to your needs.
The program can update a snort configuration file with new rules, and it
leaves the existing rules intact. Non-existing rules will also be added to
a special section. The msg:"" part of a rule stay intact at all times.
(even when it's updated) So the program should be pretty flexible.

Hopefully my contribution helps the snort-project a little bit. :)


Edwin Eefting

On Tue, 8 Jan 2002 13:23:44 +0100 Wolfgang Rohdewald <wr6 at ...4412...> wrote:

> On Tuesday 08 January 2002 10:45, Lars Jørgensen IT wrote:
> > Hi!
> >
> > I am currently writing af script for automatic download of new rulefiles,
> > unpacking and diffing against my current sets. Of course, diff catches my
> > changes to the rulesets, which is okay, but I would like it not to catch
> > rules I have commented out.
> >
> > I've been banging my head against diff's "-I" switch for some time now.
> > According to docs I can find around the net, this should work:
> >
> > diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules
> >
> > But I get the output below, which is exacly what I don't want to see. Can
> > anybody help me?
> >
> > 17,21c17,21
> > < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
> > ---
> >
> > > # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
> 
> Why don't you do 
> 
> cat /etc/snort/rules | sed 's/# alert /alert/' > myrules
> diff dns.rules myrules
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


--                            __________________
                             /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________





More information about the Snort-users mailing list