Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Inserting domain name into Snort rule

by miniperl (Initiate)
on Oct 04, 2012 at 17:31 UTC ( #997269=perlquestion: print w/replies, xml ) Need Help??
miniperl has asked for the wisdom of the Perl Monks concerning the following question:

I have a list a domain names that I need to create snort rules for. Inserting text into a line is not too complicated but what needs to be done here is.

If I have a domain

It need to be put into rule first here:
msg:"watch for domain";

Then inserted again further down the rule but modified first:

The number is a count of the number of characters of each part of the domain. foo contains 3 characters so it is preceded by |03|. There will always be a |00| at the end.

The tricky part is the domain could have any number of sections:

So if I had the end result would be
blah blah blah blah -> blah blah (msg:"watch for domain"; blah; blah; content:"|03|foo|06|foobar|03|com|00|"; blah; blah;)

Replies are listed 'Best First'.
Re: Inserting domain name into Snort rule
by aaron_baugher (Curate) on Oct 04, 2012 at 18:16 UTC

    Here's one way to get the text string you want, then you just have to plug it in where you need it.

    #!/usr/bin/env perl use Modern::Perl; sub fix { return join '|', '', ( map { sprintf('%02d',length $_), $_ } split + /\./, shift ), '00', ''; } say fix ''; say fix ''; say fix '';

    Aaron B.
    Available for small or large Perl jobs; see my home node.

      Im probably doing something wrong but I pulled out the join statement and plugged it in to a while loop to read the csv file and all I get are a bunch of |00|.


      $work = "/var/tmp/work";
      $input = "$work/domainlist.csv";

      open (IN,"$input");
      open (OUT,">domainlist.rules");
      while (<IN>) {
        $domain = $_;

          print join '|', '', ( map { sprintf('%02d',length $domain), $domain } split /\./, shift ), '00', '';


        That's because my code uses shift to get the first argument to the subroutine. If you take it out of the subroutine, you'll need to replace that shift with the variable that contains the value you want to split.

        Aaron B.
        Available for small or large Perl jobs; see my home node.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://997269]
Approved by Athanasius
[GotToBTru]: and it includes a reference number that I didnt recognize
[GotToBTru]: I had to dig into the code to find out where it came from .. and it makes no sense
[GotToBTru]: so I emailed my contact asking if we could just stop sending it .. I'm afraid she is going to ask "what is that anyway?"
[MidLifeXis]: heh.
[MidLifeXis]: Most likely it is a code that some undocumented system, hidden behind layers of IT, deep in the bowels of the building under the machine room floor, reads that code to keep a presence switch from going off. :-b
[MidLifeXis]: I think I forgot "running on a farm of commodore 64, vic 20s, trs 80s, and apple ]|[e systems"

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (9)
As of 2017-01-20 19:04 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (176 votes). Check out past polls.