Snort mailing list archives

Previous By Date Next
Previous By Thread Next

New tool: unlimited.py

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sun, 9 Mar 2014 00:20:44 -0500
First and foremost, if I am abusing snort-users mailing list
communication, please be so kind as to inform me.

Some of you who troll the mailing list may be familiar with a set of
scripts I released some time ago called "Autosnort". Autosnort is
alive, healthy and I'm still actively maintaining and improving it,
but that's not the point of this message. Today I launched another
tool called unlimited.py

https://github.com/da667/unlimited

Unlimited is a simple python script that when provided with csv data
that includes a Generator ID (GID), a SID (Snort Rule ID), the filter
type (threshold, limit, or both), what to track by (src or dst),
number of events (count), and time (in seconds) it will generate
event_filter lines for you.

Example:

1,2801,limit,src,1,3600

results in....

event_filter gen_id 1, sig_id 2801, type limit, track by_src, count 1,
seconds 3600

in plain english:

"for rule 1:2801, limit the number of events generated to only 1 event
per hour, tracked by each unique source IP address triggering this
rule."

You can then take the file generated and, using an include statement,
include it in snort.conf, much the same way include is used to tell
snort where the rule files are located. e.g.:

include /path/to/your/event_limit.conf

or whatever you chose to name the config file.

The script contains some very simple error checking, in that if a line
contains less than 6 or more than 6 values, it will notify you, tell
you which line caused the problem, and then continue processing your
csv file. This includes blank lines in your csv file. However, the
script will NOT validate you input proper values into the csv that
will make syntactically correct event_filter statements. So if you
include a header in your csv file, unlimited will parse it, but will
NOT syntactically check that it produced a valid event_filter
statement. Put simply: No headers, and no Blank lines! I've included a
sample file, test.csv that includes two valid entries so you can see
an example of the format the script expects.

Feel free to use autosnort or unlimited as you see fit. I'm always
receptive to feedback, good or bad, so if you have praise, problems,
bugs, questions, feel free to contact me. My contact information
should be all over my github repos and if not, at the very least, you
now have my e-mail address.

Cheers,

DA_667



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: