http://www.perlmonks.org?node_id=176657
Category: Text Processing
Author/Contact Info Dave K, davk@comcast.net
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);
}

foreach $sig (@lines) {
if ($sig =~ /^#/) {
next;
}
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));
}
}

foreach (@clean) {
s/\"|sid:|rev:|;//g;
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
}
close (PIGSIGS);
Replies are listed 'Best First'.
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!