Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Snort IDS signature parser

by semio (Friar)
on Jun 24, 2002 at 00:50 UTC ( [id://176657]=sourcecode: print w/replies, xml ) Need Help??
Category: Text Processing
Author/Contact Info Dave K, davk@comcast.net
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);
}

foreach $sig (@lines) {
if ($sig =~ /^#/) {
next;
}
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
}
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));
}
}

foreach (@clean) {
s/\"|sid:|rev:|;//g;
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
}
close (PIGSIGS);
Replies are listed 'Best First'.
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: sourcecode [id://176657]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (6)
As of 2024-03-19 14:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found