Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot

Snort IDS signature parser

by semio (Friar)
on Jun 24, 2002 at 00:50 UTC ( #176657=sourcecode: print w/replies, xml ) Need Help??
Category: Text Processing
Author/Contact Info Dave K,
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);

foreach $sig (@lines) {
if ($sig =~ /^#/) {
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));

foreach (@clean) {
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
close (PIGSIGS);
Replies are listed 'Best First'.
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!
Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://176657]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2018-06-23 11:01 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (125 votes). Check out past polls.