Snort mailing list archives

My ruleset differ/merg0r :-)

From: Edwin Eefting <edwin () bit nl>
Date: Tue, 8 Jan 2002 14:04:43 +0100 (CET)

Hello there,

It seems there still isn't a good rulemerging tool for snort rulefiles. I already
create a rulemerger for use with the mysql database of demarc, so I
decided to create a variant that can process rules from stdin. 

Download it at http://iowa.bit.nl/scripts/merger1-1-0.tar.gz

The sourcecode is quite clean and readable, so it's easy to adjust to your needs.
The program can update a snort configuration file with new rules, and it
leaves the existing rules intact. Non-existing rules will also be added to
a special section. The msg:"" part of a rule stay intact at all times.
(even when it's updated) So the program should be pretty flexible.

Hopefully my contribution helps the snort-project a little bit. :)


Edwin Eefting

On Tue, 8 Jan 2002 13:23:44 +0100 Wolfgang Rohdewald <wr6 () uni de> wrote:

On Tuesday 08 January 2002 10:45, Lars Jørgensen IT wrote:

Hi!

I am currently writing af script for automatic download of new rulefiles,
unpacking and diffing against my current sets. Of course, diff catches my
changes to the rulesets, which is okay, but I would like it not to catch
rules I have commented out.

I've been banging my head against diff's "-I" switch for some time now.
According to docs I can find around the net, this should work:

diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules

But I get the output below, which is exacly what I don't want to see. Can
anybody help me?

17,21c17,21
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
---

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86


Why don't you do 

cat /etc/snort/rules | sed 's/# alert /alert/' > myrules
diff dns.rules myrules


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--                            __________________
                             /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Diff'ing rulesets Lars Jørgensen IT (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)
  - Re: RST.B / EGP Ryan Russell (Jan 08)
- Re: Diff'ing rulesets Wolfgang Rohdewald (Jan 08)
  - My ruleset differ/merg0r :-) Edwin Eefting (Jan 08)
- RE: Diff'ing rulesets Andy Wood (Jan 08)
  - Re: Diff'ing rulesets Chr. v. Stuckrad (Jan 08)