[Snort-users] New tool: unlimited.py

Tony Robinson deusexmachina667 at ...11827...
Sun Mar 9 00:20:44 EST 2014


First and foremost, if I am abusing snort-users mailing list
communication, please be so kind as to inform me.

Some of you who troll the mailing list may be familiar with a set of
scripts I released some time ago called "Autosnort". Autosnort is
alive, healthy and I'm still actively maintaining and improving it,
but that's not the point of this message. Today I launched another
tool called unlimited.py

https://github.com/da667/unlimited

Unlimited is a simple python script that when provided with csv data
that includes a Generator ID (GID), a SID (Snort Rule ID), the filter
type (threshold, limit, or both), what to track by (src or dst),
number of events (count), and time (in seconds) it will generate
event_filter lines for you.

Example:

1,2801,limit,src,1,3600

results in....

event_filter gen_id 1, sig_id 2801, type limit, track by_src, count 1,
seconds 3600

in plain english:

"for rule 1:2801, limit the number of events generated to only 1 event
per hour, tracked by each unique source IP address triggering this
rule."

You can then take the file generated and, using an include statement,
include it in snort.conf, much the same way include is used to tell
snort where the rule files are located. e.g.:

include /path/to/your/event_limit.conf

or whatever you chose to name the config file.

The script contains some very simple error checking, in that if a line
contains less than 6 or more than 6 values, it will notify you, tell
you which line caused the problem, and then continue processing your
csv file. This includes blank lines in your csv file. However, the
script will NOT validate you input proper values into the csv that
will make syntactically correct event_filter statements. So if you
include a header in your csv file, unlimited will parse it, but will
NOT syntactically check that it produced a valid event_filter
statement. Put simply: No headers, and no Blank lines! I've included a
sample file, test.csv that includes two valid entries so you can see
an example of the format the script expects.

Feel free to use autosnort or unlimited as you see fit. I'm always
receptive to feedback, good or bad, so if you have praise, problems,
bugs, questions, feel free to contact me. My contact information
should be all over my github repos and if not, at the very least, you
now have my e-mail address.

Cheers,

DA_667



-- 
when does reality end? when does fantasy begin?




More information about the Snort-users mailing list