[Snort-users] Diff'ing rulesets

Chr. v. Stuckrad stucki at ...3882...
Tue Jan 8 08:15:03 EST 2002


Hi!

Just a small warning, what if somebody has 'broken' a rule
into several lines by adding '\' at the end of lines?

Like:
redalert tcp $EXTERNAL_NET any -> $SSH_AFFECTED 22     \
    (msg:"EXPLOIT ssh explicitely kill connection";  \
    resp:rst_all; \
    classtype:bad-known;)

So may be the third line was changed to
	resp:icmp_all

If somebody changes only *part* of (a partial line of!) a rule
the 'diff' catches only this *part* and possibly appends nonsense ?!

Sincerely yours,    Stucki

On Tue, Jan 08, 2002 at 10:47:18AM -0500, Andy Wood wrote:
...
> diff -b current_mod.rules new.rules | awk '/>/' | \
> ...
...
> I think this will work.....it worked here.




More information about the Snort-users mailing list