snortpp: Tired of your snort crashing on rules?

[Dragos Ruiu <dr () kyx net>]

Well I might have a little trick for you here.....

I was trying to build some distributed rules autoupdating, but I didn't want to
take any chances on crashing a remote node with a bogus rules file.
I figured a nice way to do this was a rule preprocessor for snort that
merged rules files and cleaned them up so snort (hopefully) won't puke...

So I spent some time building a (hopefully) more bulletproof rules parser for
snort.  The attached snortpp program does a couple of things:

-It deals with missing fields and takes some guesses where it can figure
  things out (like missing port numbers on ICMP and other rules)
-It tries to be a little more descriptive and give a little more handholding 
  on error messages as well as attempting to never dump core on _any_ input
-It merges multiple rules files together and strips out duplicate rules
-When duplicate rule IDs are found it uses the rule with the highest rev level 
-It strips out preprocessor configuration directives from files
-It checks for the proper formatting on IP addresses and fills in missing blanks
-It makes sure all keywords are terminated properly
-It forces valid rule and protocol types
-It removes duplicate variable definitions
-It removes quotes around variables (newbie check)
-It puts all the variable definitions in one section for easy editing
-It flags and removes any undefined variable references
-It puts all the ruletype definitions together and checks them for syntax
-It dereferences and merges all included files into one output file
-It outputs the rules sorted by snort ID
-It checks that only valid rule types and protocols are used
-It cleans up spacing
-It probably some other stuff too but I've been staring at goofy
  parser errors for far too long and I probably forgot.

How to use this....

Build it by unpacking splay.c and snortpp.c to a directory.
Compile it with cc -o snortpp snortpp.c

Usage:

snortpp takes a list of files on the command line and outputs to stdout
a cleaned up merged file.

To output to a file instead use the option: -o <filename>
To read in from stdin in the list of input files use the special filename "-"

Errors and diagnostics go to stderr, redirect with 2><filename>

A recommended way to set this up is to build yourself a snort.conf
file with your local preprocessor configuration directives and have
it include the unified snortpp output file. In this way you can set
up autoupdating of rule signatures with snortpp and a cron job.

That's it....

Caveats.... I've tried to test it with all the messed up ruletypes I could
think of and make it as intelligent about guessing how to clean up those
errors, but I'm sure I haven't thought of all of them.  Please feel free to
e-mail me with complaints, rules mistakes snortpp messed up, or
enhancement suggestions.

The file of messed up rules I've been using to test this is also 
attached, and if you are curious as to what it does in various
rules situations you can test this by using:

snortpp ruletest 2>&1 | more

Enjoy... and as usual please send me your coredumps and
complaints. If you do get snort to coredump or otherwise
complain about the output from snortpp please let me know.
Now, bout those defraggers....

cheers,
--dr

Attachment: snortpp.c
Description:

Attachment: ruletest
Description:

Attachment: splay.c
Description: