[Snort-users] Script to transition rules from 1.8 to 1.9

Crow, Owen Owen_Crow at ...2639...
Fri Jan 3 10:33:06 EST 2003


I finally got around to updating to 1.9.  I've spent months (or is it a
years now?) trimming the 1.8 rules to eliminate false positives in my
environment.  I didn't want to loose my changes and most especially my
comments in the rules files.  I've been using IDS Policy Manager from
Activeworx (www.activeworx.com) to manage the rules and it puts a comment on
the line before a rule if the user provides a one.

Attached is the very rough Perl script I used to scan the old rules for
their enabled/disabled state and associated comments.  It then
enables/disables the corresponding 1.9 rule and adds in the comments.  Lots
could be done to make this work for non-IDSPM comments, non-regular rule
layouts, etc, if someone has the time.

Now I can go through and try re-enabling some of the old rules to see if the
1.9 extensions have improved their accuracy.

Worked for me but use at your own risk.  Oh, I haven't been reading the list
for a while, so my apologies if a better script of this type has already
been posted.

Regards,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

 <<snort-1.8-1.9.pl>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-1.8-1.9.pl
Type: application/octet-stream
Size: 2556 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030103/2aefe22d/attachment.obj>


More information about the Snort-users mailing list