Snort mailing list archives

Script for Updating Snort Rules

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Thu, 24 Jan 2002 15:59:21 -0600

Hi guys,

The first mail I sent was blocked by our Scanmail because of the file extension.
 
I would like to share this program which will compare an old snort rule against 
a newly downloaded snort rules. Then comment the rule in newsnortrule if it
was commented out also in your existing snort rules.

This is for snort 1.8.3.

This script was first developed by David Bouscasse. I had some errors on it
like when it encounters special characters like "\", grep fails on it.
But I thank David for his wonderful idea. :-)

I added lines to fix the problem. Also added some conditional statement
to verify if the line was really a rule. 

I also made it in such a way that it will automatically pull the latest and
greatest snortrules.tar.gz from snort.org.

I have tested it and was happy with the output.

Usage: sh updaterule.sh [old snort dir with rules file] [temp directory, must not exist!]
Example: sh updaterule.sh /etc/snort /etc/newsnort

NOTE: You can just chmod 500 updaterule.sh if you don't like the syntax above. :-)

BTW, the file was saved using vi. So for guys using notepad in windoze, it might not
be displayed correctly. You can also grabbed a copy of this script at
http://promiscuous.dyndns.org/updaterule.sh.txt

Hope this helps. I am also in the process of adding this functionality to ACID.
I just don't know if I am allowed. :-)


neil camara (ronneilc () remingtonltd com) - cc{na|sa}, mcse - pgp 0x777777B2 
network/security engineer - dl := +1(847)2.21.0.224 cn := +1(847)9.80.17.53 
        echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
              awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
-------------------------------------------------------------------------- 
                 ---o0 Statement of Confidentiality 0o--- 
The contents of this message and its attachments and subsequent additions are 
strictly confidential and proprietary and intended solely for the addressee(s) 
hereof.  If you are not the named addressee, or this message has been addressed 
to you in error, you are directed not to read, disclose, reproduce, distribute, 
disseminate or otherwise use thistransmission.  Delivery of this message to 
any other person other than the intended recipient(s) is not intended in any 
way to waive privilege or confidentiality.  If you have received this transmis- 
sion in error, please alert the sender by reply e-mail; we also request that 
you immediately delete this message and its attachments, if any.


 <<updaterule.txt>>

Attachment: updaterule.txt
Description: updaterule.txt

Current thread:

Script for Updating Snort Rules Ronneil Camara (Jan 24)
- <Possible follow-ups>
- Script for Updating Snort Rules Ronneil Camara (Jan 24)