Snort mailing list archives
RE: Diff'ing rulesets
From: "Andy Wood" <network.design () home com>
Date: Tue, 8 Jan 2002 10:47:18 -0500
Hope this help, as I might be butchering things a little....I'm new to scripting. Try this: Remove all commented, non-rule, lines from the rules file, I.e. the info lines at the top (created by, description) Example 'current.rules' file #alert { this rule sucks } alert { this rule stays } Example 'new.rules' file alert { this rule sucks } alert { latest greatest rule } Merge Script ( I warned you this was bastardized ) --------------------------------------------------------- #!/bin/sh cat current.rules | grep \#alert | sed 's/#//' > current_mod.rules diff -b current_mod.rules new.rules | awk '/>/' | \ awk 'BEGIN { FS = ">" } { print $2 }'` >> current.rules.new cat current.rules.new | sed 's/^ //' > current.rules rm -f current.rules.new current_mod.rules --------------------------------------------------------- I think this will work.....it worked here. Andy -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lars Jørgensen IT Sent: Tuesday, January 08, 2002 4:46 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Diff'ing rulesets Hi! I am currently writing af script for automatic download of new rulefiles, unpacking and diffing against my current sets. Of course, diff catches my changes to the rulesets, which is okay, but I would like it not to catch rules I have commented out. I've been banging my head against diff's "-I" switch for some time now. According to docs I can find around the net, this should work: diff --ignore-matching-lines='^#.alert' dns.rules /etc/snort/dns.rules But I get the output below, which is exacly what I don't want to see. Can anybody help me? 17,21c17,21 < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262; rev:1;) < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264; rev:1;) < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265; rev:1;) < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266; rev:1;) < alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc";flags: A+; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|"; classtype:attempted-admin; sid:267; rev:1;) ---
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
linux";flags: A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux
ADMv2";flags: A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86
freebsd";flags: A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT
sparc";flags: A+; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|"; classtype:attempted-admin; sid:267; rev:1;) I have tried "^#", "#", "..alert" and every other permutation I could think of. There's something fundamental I'm not understanding. -- Lars Jorgensen Network Administrator A/S Dagbladet Politiken tel. +45 3347 2965 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Diff'ing rulesets Lars Jørgensen IT (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)
- Re: RST.B / EGP Ryan Russell (Jan 08)
- Re: Diff'ing rulesets Wolfgang Rohdewald (Jan 08)
- My ruleset differ/merg0r :-) Edwin Eefting (Jan 08)
- RE: Diff'ing rulesets Andy Wood (Jan 08)
- Re: Diff'ing rulesets Chr. v. Stuckrad (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)