RE: snortpp: Tired of your snort crashing on rules?

[Dragos Ruiu <dr () kyx net>]

Hmmm...  I was just playing around with that, meant to take it out....  here
is a version with fgetln removed and using only fgets...

(you only have to change the fgetln call to fgets(rulebuf,1024,fd)
and get rid of the copy from buf to rulebuf...)

for Linux....  and every other unix... I hope I've only used posix calls...

cheers,
--dr


On Fri, 27 Jul 2001, you wrote:
> Thanks for taking time to develop and release this.  It sounds like a great
> tool.  I'm guessing you build on a BSD-type platform, as Linux does not
> appear to have the fgetln() routine in its standard libraries.  I could
> probably hack (and break!) your code by replacing it with fgets(), but I
> wanted to ask if you know where this function library can be found for
> Linux?  Thanks.
>
> Frank
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Dragos Ruiu
> Sent: Thursday, July 26, 2001 22:21
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] snortpp: Tired of your snort crashing on rules?
>
>
> Well I might have a little trick for you here.....
>
> I was trying to build some distributed rules autoupdating, but I didn't want
> to
> take any chances on crashing a remote node with a bogus rules file.
> I figured a nice way to do this was a rule preprocessor for snort that
> merged rules files and cleaned them up so snort (hopefully) won't puke...
>
> So I spent some time building a (hopefully) more bulletproof rules parser
> for
> snort.  The attached snortpp program does a couple of things:
>
> -It deals with missing fields and takes some guesses where it can figure
>   things out (like missing port numbers on ICMP and other rules)
> -It tries to be a little more descriptive and give a little more handholding
>   on error messages as well as attempting to never dump core on _any_ input
> -It merges multiple rules files together and strips out duplicate rules
> -When duplicate rule IDs are found it uses the rule with the highest rev
> level
> -It strips out preprocessor configuration directives from files
> -It checks for the proper formatting on IP addresses and fills in missing
> blanks
> -It makes sure all keywords are terminated properly
> -It forces valid rule and protocol types
> -It removes duplicate variable definitions
> -It removes quotes around variables (newbie check)
> -It puts all the variable definitions in one section for easy editing
> -It flags and removes any undefined variable references
> -It puts all the ruletype definitions together and checks them for syntax
> -It dereferences and merges all included files into one output file
> -It outputs the rules sorted by snort ID
> -It checks that only valid rule types and protocols are used
> -It cleans up spacing
> -It probably some other stuff too but I've been staring at goofy
>   parser errors for far too long and I probably forgot.
>
> How to use this....
>
> Build it by unpacking splay.c and snortpp.c to a directory.
> Compile it with cc -o snortpp snortpp.c
>
> Usage:
>
> snortpp takes a list of files on the command line and outputs to stdout
> a cleaned up merged file.
>
> To output to a file instead use the option: -o <filename>
> To read in from stdin in the list of input files use the special filename
> "-"
>
> Errors and diagnostics go to stderr, redirect with 2><filename>
>
> A recommended way to set this up is to build yourself a snort.conf
> file with your local preprocessor configuration directives and have
> it include the unified snortpp output file. In this way you can set
> up autoupdating of rule signatures with snortpp and a cron job.
>
> That's it....
>
> Caveats.... I've tried to test it with all the messed up ruletypes I could
> think of and make it as intelligent about guessing how to clean up those
> errors, but I'm sure I haven't thought of all of them.  Please feel free to
> e-mail me with complaints, rules mistakes snortpp messed up, or
> enhancement suggestions.
>
> The file of messed up rules I've been using to test this is also
> attached, and if you are curious as to what it does in various
> rules situations you can test this by using:
>
> snortpp ruletest 2>&1 | more
>
> Enjoy... and as usual please send me your coredumps and
> complaints. If you do get snort to coredump or otherwise
> complain about the output from snortpp please let me know.
> Now, bout those defraggers....
>
> cheers,
> --dr
-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

Attachment: snortpp.c
Description: