Snort mailing list archives

RE: Diff'ing rulesets

From: "Andy Wood" <network.design () home com>
Date: Tue, 8 Jan 2002 10:47:18 -0500

Hope this help, as I might be butchering things a little....I'm new to
scripting.  

Try this:  Remove all commented, non-rule, lines from the rules file,
I.e. the info lines at the top (created by, description)

Example 'current.rules' file
#alert { this rule sucks }
alert { this rule stays }

Example 'new.rules' file
alert { this rule sucks }
alert { latest greatest rule }

Merge Script ( I warned you this was bastardized )
---------------------------------------------------------
#!/bin/sh

cat current.rules | grep \#alert | sed 's/#//' > current_mod.rules

diff -b current_mod.rules new.rules | awk '/>/' | \
        awk 'BEGIN { FS = ">" } { print $2 }'` >> current.rules.new

cat current.rules.new | sed 's/^ //' > current.rules
rm -f current.rules.new current_mod.rules
 
---------------------------------------------------------

I think this will work.....it worked here.

Andy




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lars
Jørgensen IT
Sent: Tuesday, January 08, 2002 4:46 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Diff'ing rulesets


Hi!

I am currently writing af script for automatic download of new
rulefiles, unpacking and diffing against my current sets. Of course,
diff catches my changes to the rulesets, which is okay, but I would like
it not to catch rules I have commented out.

I've been banging my head against diff's "-I" switch for some time now.
According to docs I can find around the net, this should work:

diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules 

But I get the output below, which is exacly what I don't want to see.
Can anybody help me?

17,21c17,21
< alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";
classtype:attempted-admin; sid:262; rev:1;) < alert tcp $EXTERNAL_NET
any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";
classtype:attempted-admin; sid:264; rev:1;) < alert tcp $EXTERNAL_NET
any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux
ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";
classtype:attempted-admin; sid:265; rev:1;) < alert tcp $EXTERNAL_NET
any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";
classtype:attempted-admin; sid:266; rev:1;) < alert tcp $EXTERNAL_NET
any -> $HOME_NET 53 (msg:"DNS EXPLOIT
sparc";flags: A+; content:"|90 1a c0 0f  90 02 20 08 92 02 20 0f d0 23
bf
f8|"; classtype:attempted-admin; sid:267; rev:1;)
---

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86

linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";
classtype:attempted-admin; sid:262; rev:1;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86

linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";
classtype:attempted-admin; sid:264; rev:1;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 
linux

ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";
classtype:attempted-admin; sid:265; rev:1;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86

freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";
classtype:attempted-admin; sid:266; rev:1;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT

sparc";flags: A+; content:"|90 1a c0 0f  90 02 20 08 92 02 20 0f d0 23
bf
f8|"; classtype:attempted-admin; sid:267; rev:1;)

I have tried "^#", "#", "..alert" and every other permutation I could
think of. There's something fundamental I'm not understanding.


-- 
Lars Jorgensen
Network Administrator
A/S Dagbladet Politiken
tel. +45 3347 2965 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Diff'ing rulesets Lars Jørgensen IT (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)
  - Re: RST.B / EGP Ryan Russell (Jan 08)
- Re: Diff'ing rulesets Wolfgang Rohdewald (Jan 08)
  - My ruleset differ/merg0r :-) Edwin Eefting (Jan 08)
- RE: Diff'ing rulesets Andy Wood (Jan 08)
  - Re: Diff'ing rulesets Chr. v. Stuckrad (Jan 08)