Snort mailing list archives
snortpp: Tired of your snort crashing on rules?
From: Dragos Ruiu <dr () kyx net>
Date: Thu, 26 Jul 2001 19:21:10 -0700
Well I might have a little trick for you here..... I was trying to build some distributed rules autoupdating, but I didn't want to take any chances on crashing a remote node with a bogus rules file. I figured a nice way to do this was a rule preprocessor for snort that merged rules files and cleaned them up so snort (hopefully) won't puke... So I spent some time building a (hopefully) more bulletproof rules parser for snort. The attached snortpp program does a couple of things: -It deals with missing fields and takes some guesses where it can figure things out (like missing port numbers on ICMP and other rules) -It tries to be a little more descriptive and give a little more handholding on error messages as well as attempting to never dump core on _any_ input -It merges multiple rules files together and strips out duplicate rules -When duplicate rule IDs are found it uses the rule with the highest rev level -It strips out preprocessor configuration directives from files -It checks for the proper formatting on IP addresses and fills in missing blanks -It makes sure all keywords are terminated properly -It forces valid rule and protocol types -It removes duplicate variable definitions -It removes quotes around variables (newbie check) -It puts all the variable definitions in one section for easy editing -It flags and removes any undefined variable references -It puts all the ruletype definitions together and checks them for syntax -It dereferences and merges all included files into one output file -It outputs the rules sorted by snort ID -It checks that only valid rule types and protocols are used -It cleans up spacing -It probably some other stuff too but I've been staring at goofy parser errors for far too long and I probably forgot. How to use this.... Build it by unpacking splay.c and snortpp.c to a directory. Compile it with cc -o snortpp snortpp.c Usage: snortpp takes a list of files on the command line and outputs to stdout a cleaned up merged file. To output to a file instead use the option: -o <filename> To read in from stdin in the list of input files use the special filename "-" Errors and diagnostics go to stderr, redirect with 2><filename> A recommended way to set this up is to build yourself a snort.conf file with your local preprocessor configuration directives and have it include the unified snortpp output file. In this way you can set up autoupdating of rule signatures with snortpp and a cron job. That's it.... Caveats.... I've tried to test it with all the messed up ruletypes I could think of and make it as intelligent about guessing how to clean up those errors, but I'm sure I haven't thought of all of them. Please feel free to e-mail me with complaints, rules mistakes snortpp messed up, or enhancement suggestions. The file of messed up rules I've been using to test this is also attached, and if you are curious as to what it does in various rules situations you can test this by using: snortpp ruletest 2>&1 | more Enjoy... and as usual please send me your coredumps and complaints. If you do get snort to coredump or otherwise complain about the output from snortpp please let me know. Now, bout those defraggers.... cheers, --dr
Attachment:
snortpp.c
Description:
Attachment:
ruletest
Description:
Attachment:
splay.c
Description:
Current thread:
- snortpp: Tired of your snort crashing on rules? Dragos Ruiu (Jul 26)
- <Possible follow-ups>
- RE: snortpp: Tired of your snort crashing on rules? Dragos Ruiu (Jul 27)