Beefy Boxes and Bandwidth Generously Provided by pair Networks Frank
Do you know where your variables are?
 
PerlMonks  

Inserting domain name into Snort rule

by miniperl (Initiate)
on Oct 04, 2012 at 17:31 UTC ( #997269=perlquestion: print w/ replies, xml ) Need Help??
miniperl has asked for the wisdom of the Perl Monks concerning the following question:

I have a list a domain names that I need to create snort rules for. Inserting text into a line is not too complicated but what needs to be done here is.


If I have a domain
foo.com

It need to be put into rule first here:
msg:"watch for domain foo.com";

Then inserted again further down the rule but modified first:
content:"|03|foo|03|com|00|";

The number is a count of the number of characters of each part of the domain. foo contains 3 characters so it is preceded by |03|. There will always be a |00| at the end.


The tricky part is the domain could have any number of sections:
foo.com
foo.foobar.com
foo.foobar.foo.com

So if I had foo.foobar.com the end result would be
blah blah blah blah -> blah blah (msg:"watch for domain foo.foobar.com"; blah; blah; content:"|03|foo|06|foobar|03|com|00|"; blah; blah;)

Comment on Inserting domain name into Snort rule
Re: Inserting domain name into Snort rule
by aaron_baugher (Chaplain) on Oct 04, 2012 at 18:16 UTC

    Here's one way to get the text string you want, then you just have to plug it in where you need it. 

    #!/usr/bin/env perl
use Modern::Perl;

sub fix {
    return join '|', '', ( map { sprintf('%02d',length $_), $_ } split
+ /\./, shift ), '00', '';
}

say fix 'foo.com';
say fix 'foo.foobar.com';
say fix 'foo.foobar.foo.com';

    [download]

    Aaron B.
    Available for small or large Perl jobs; see my home node.

[reply]
[d/l]

      Im probably doing something wrong but I pulled out the join statement and plugged it in to a while loop to read the csv file and all I get are a bunch of |00|.


      #!/usr/bin/perl

      $work = "/var/tmp/work";
      $input = "$work/domainlist.csv";

      open (IN,"$input");
      open (OUT,">domainlist.rules");
      while (<IN>) {
        chomp();
        $domain = $_;

          print join '|', '', ( map { sprintf('%02d',length $domain), $domain } split /\./, shift ), '00', '';

      }
[reply]
[d/l]
[select]

        That's because my code uses shift to get the first argument to the subroutine. If you take it out of the subroutine, you'll need to replace that shift with the variable that contains the value you want to split.

        Aaron B.
        Available for small or large Perl jobs; see my home node.

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://997269]
Approved by Athanasius
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (9)
As of 2013-05-19 06:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best material for plates (tableware) is:









    Results (397 votes), past polls