Snort mailing list archives
Re: One liner to generate map file from rules.
From: Phil Wood <cpw () lanl gov>
Date: Tue, 27 Aug 2002 17:28:28 -0600
On Tue, Aug 27, 2002 at 01:06:43PM +0000, Dragos Ruiu wrote:
If in doubt...
Looks like my kind of script!
cat *rules | grep "msg:" | sed -e 's/^.*msg:\"//' | sed -e 's/\"\;.*sid:/%/'
| sed -e 's/\;.*$/ || /' | awk -F'%' ' { print $2 $1 }' >sid-msg.map
Using 1.9 rules I had to do this (following the cat|grep|sed|awk approach):
===============================================================================
#!/bin/sh
# makemap
# usage:
# % cat *.rules | makemap > /tmp/sid-msg.map
#
egrep "msg:.*sid:" | \
sed -e 's/^.*(msg:[ "]*/msg:/' \
-e 's/reference:[ ]*/reference:/g' \
-e 's/"[ ]*;/;/' \
-e 's/[ ]*)$/;end:/' \
| tr ';' '\012' \
| egrep "msg:|reference:|sid:|end:" \
| awk -F: '/msg/ {msg = $2;i=0} /reference/ {ref[i++] = $2} /sid/ {sid=$2} /end/ { printf "%d || %s", sid, msg; if
(i>0) while (i--) { printf " || %s", ref[i] } printf "\n"}'
===============================================================================
to get this:
% cat chat.rules | makemap
540 || CHAT MSN chat access
541 || CHAT ICQ access
542 || CHAT IRC nick change
1639 || CHAT IRC DCC file transfer request
1640 || CHAT IRC DCC chat request
1729 || CHAT IRC channel join
1463 || CHAT IRC message
1789 || CHAT IRC dns request
1790 || CHAT IRC dns response
307 || CHAT IRC EXPLOIT topic overflow || bugtraq,573 || cve,CVE-1999-0672
1382 || CHAT IRC EXPLOIT Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
1631 || CHAT AIM login
1631 || CHAT AIM send message
1632 || CHAT AIM send message
1633 || CHAT AIM recieve message
This will give you a map file from your rules. It's not pretty but it is short... :-) I know I could have used just one sed...but this works. :-) Cheers, --dr -- dr () kyx net pgp: http://dragos.com/kyxpgp Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- One liner to generate map file from rules. Dragos Ruiu (Aug 27)
- Re: One liner to generate map file from rules. Phil Wood (Aug 27)