Beefy Boxes and Bandwidth Generously Provided by pair Networks Bob
Do you know where your variables are?
 
PerlMonks  

Snort IDS signature parser

by semio (Friar)
on Jun 24, 2002 at 00:50 UTC ( #176657=sourcecode: print w/ replies, xml ) Need Help??

Category: Text Processing
Author/Contact Info Dave K, davk@comcast.net
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);
}

foreach $sig (@lines) {
if ($sig =~ /^#/) {
next;
}
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));
}
}

foreach (@clean) {
s/\"|sid:|rev:|;//g;
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
}
close (PIGSIGS);

Comment on Snort IDS signature parser
Download Code
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!

Back to Code Catacombs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://176657]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (11)
As of 2014-04-18 00:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (460 votes), past polls