Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Snort IDS signature parser

by semio (Friar)
on Jun 24, 2002 at 00:50 UTC ( #176657=sourcecode: print w/ replies, xml ) Need Help??

Category: Text Processing
Author/Contact Info Dave K, davk@comcast.net
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);
}

foreach $sig (@lines) {
if ($sig =~ /^#/) {
next;
}
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));
}
}

foreach (@clean) {
s/\"|sid:|rev:|;//g;
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
}
close (PIGSIGS);

Comment on Snort IDS signature parser
Download Code
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!

Back to Code Catacombs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://176657]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2014-07-12 06:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (238 votes), past polls