Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snorcenter2, Base, bleeding rules and sid-msg.map

From: Joel Esler <eslerj () gmail com>
Date: Mon, 23 May 2005 18:47:02 -0400
Marty actually recently discussed the ability to generate the
sid-msg.map upon Snort startup.  Maybe we'll see that soon!!

On 5/23/05, Wes Young <wcyoung () buffalo edu> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

try this out.. if you run it before you restart snort (or barnyard)
it will create a sid-msg.map file from your rules database. I'm not that
great of a perl scripter... but it gets the job done.. i call it before
i send barnyard a kill -HUP and it re-reads the file...

John Hally wrote:



Hello All,



I've set up the latest version of snortcenter2 with the rule_combine
script working great fetching snort and bleeding snort rules.  I did
some poking around and it doesn't look like the script handles merging
the sid-msg.maps from the two different rulesets. What sid-msg.map is
used, the one on the BASE install, snortcenter2 install, or on the
sensor(s)?



Thanks in advance!



- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCkj6c1M5o0FsrrbERApfWAJ4sfKNLW8Qd5i79xIB/jRhENdT1YQCgnBBg
WxNp8K5ap7Ed3b8x4Gs8hF4=
=L/hs
-----END PGP SIGNATURE-----


#!/usr/bin/perl
use strict;
use DBI;

#########################################
#       Configurations                  #
#########################################

# Database configs
my $sc_server = '';
my $sc_db = '';
my $sc_user = '';
my $sc_pass = '';
my $SIDFILE = "./etc/sid-msg.map";
#/Configs

open(SIDS, "> $SIDFILE") or die "Can not open sid file!\n";
my $sc_dbh = DBI->connect("DBI:mysql:$sc_db;$sc_server", $sc_user, $sc_pass) or die "Couldn't connect to database: " 
. DBI->errstr;
my $sc_SELECT = "SELECT sid,msg FROM rules";

my $sc_sth;
$sc_sth = $sc_dbh->prepare($sc_SELECT) or die "Couldnt prepare statment: " . $sc_sth->errstr;
$sc_sth->execute or die "Could not execute SQL statement: " . $sc_sth->errstr;

if ($sc_sth->rows == 0) {
       #bail, shouldnt ever be seen... but just in case...
       $sc_sth->finish;
       $sc_dbh->disconnect || die "Failed to disconnect from the Database: " . DBI->errstr;
       die "No Sigs in Database";
}

my @rules;
while (@rules = $sc_sth->fetchrow_array) {
       #clean out the quotes and trip the whitespaces the db gives back
       $rules[1] =~ s/"//g;
       $rules[1] =~ s/^\s+//;
       $rules[1] =~ s/\s+$//;
       print SIDS ("$rules[0] || $rules[1]\n");
}

close (SIDS);

$sc_sth->finish;
$sc_dbh->disconnect || die "Failed to disconnect the Database: " . DBI->errstr;





-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: