Snort mailing list archives
Re: snorcenter2, Base, bleeding rules and sid-msg.map
From: Joel Esler <eslerj () gmail com>
Date: Mon, 23 May 2005 18:47:02 -0400
Marty actually recently discussed the ability to generate the sid-msg.map upon Snort startup. Maybe we'll see that soon!! On 5/23/05, Wes Young <wcyoung () buffalo edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 try this out.. if you run it before you restart snort (or barnyard) it will create a sid-msg.map file from your rules database. I'm not that great of a perl scripter... but it gets the job done.. i call it before i send barnyard a kill -HUP and it re-reads the file... John Hally wrote:Hello All, I've set up the latest version of snortcenter2 with the rule_combine script working great fetching snort and bleeding snort rules. I did some poking around and it doesn't look like the script handles merging the sid-msg.maps from the two different rulesets. What sid-msg.map is used, the one on the BASE install, snortcenter2 install, or on the sensor(s)? Thanks in advance!- -- Wes Young Network Security Analyst University at Buffalo GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCkj6c1M5o0FsrrbERApfWAJ4sfKNLW8Qd5i79xIB/jRhENdT1YQCgnBBg WxNp8K5ap7Ed3b8x4Gs8hF4= =L/hs -----END PGP SIGNATURE----- #!/usr/bin/perl use strict; use DBI; ######################################### # Configurations # ######################################### # Database configs my $sc_server = ''; my $sc_db = ''; my $sc_user = ''; my $sc_pass = ''; my $SIDFILE = "./etc/sid-msg.map"; #/Configs open(SIDS, "> $SIDFILE") or die "Can not open sid file!\n"; my $sc_dbh = DBI->connect("DBI:mysql:$sc_db;$sc_server", $sc_user, $sc_pass) or die "Couldn't connect to database: " . DBI->errstr; my $sc_SELECT = "SELECT sid,msg FROM rules"; my $sc_sth; $sc_sth = $sc_dbh->prepare($sc_SELECT) or die "Couldnt prepare statment: " . $sc_sth->errstr; $sc_sth->execute or die "Could not execute SQL statement: " . $sc_sth->errstr; if ($sc_sth->rows == 0) { #bail, shouldnt ever be seen... but just in case... $sc_sth->finish; $sc_dbh->disconnect || die "Failed to disconnect from the Database: " . DBI->errstr; die "No Sigs in Database"; } my @rules; while (@rules = $sc_sth->fetchrow_array) { #clean out the quotes and trip the whitespaces the db gives back $rules[1] =~ s/"//g; $rules[1] =~ s/^\s+//; $rules[1] =~ s/\s+$//; print SIDS ("$rules[0] || $rules[1]\n"); } close (SIDS); $sc_sth->finish; $sc_dbh->disconnect || die "Failed to disconnect the Database: " . DBI->errstr;
-- Joel Esler BASE Project Lead http://sourceforge.net/projects/secureideas ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_idt12&alloc_id344&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snorcenter2, Base, bleeding rules and sid-msg.map John Hally (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Joel Esler (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 24)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Joel Esler (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 23)