-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thats cool... Make things alot easier for barnyard users... I've been
working on incorporating it into snortcenter2 (locally) when a ruleset
is pushed down... but if snort did it on the fly... that'd be phenominal
;-) (assuming sf is doing the same for all the map files)
i might look into that code, it shouldn't be terribly hard to
incorporate, would it? just read in the snort.dag0.conf type file and,
parse for alert/pass/log and read in the msg clause... actually, it
prolly would be even easier if it was done when the rule chain was
created... no?
Only snag I can see being run into is that for users that use barnyard,
barnyard has to be restarted before snort starts writing to the files,
although the time diff is very short... snort could fire an alert on a
new rule before barnyard has the chance to re-read the new config. Maybe
building it into barnyard would be easier? (just shooting out ideas at
this point).....
Joel Esler wrote:
Marty actually recently discussed the ability to generate the
sid-msg.map upon Snort startup. Maybe we'll see that soon!!
On 5/23/05, Wes Young <wcyoung@buffalo.edu> wrote:
try this out.. if you run it before you restart snort (or barnyard)
it will create a sid-msg.map file from your rules database. I'm not that
great of a perl scripter... but it gets the job done.. i call it before
i send barnyard a kill -HUP and it re-reads the file...
John Hally wrote:
Hello All,
I've set up the latest version of snortcenter2 with the rule_combine
script working great fetching snort and bleeding snort rules. I did
some poking around and it doesn't look like the script handles merging
the sid-msg.maps from the two different rulesets. What sid-msg.map is
used, the one on the BASE install, snortcenter2 install, or on the
sensor(s)?
Thanks in advance!
--
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
#!/usr/bin/perl
use strict;
use DBI;
#########################################
# Configurations #
#########################################
# Database configs
my $sc_server = '';
my $sc_db = '';
my $sc_user = '';
my $sc_pass = '';
my $SIDFILE = "./etc/sid-msg.map";
#/Configs
open(SIDS, "> $SIDFILE") or die "Can not open sid file!\n";
my $sc_dbh = DBI->connect("DBI:mysql:$sc_db;$sc_server", $sc_user,
$sc_pass) or die "Couldn't connect to database: " . DBI->errstr;
my $sc_SELECT = "SELECT sid,msg FROM rules";
my $sc_sth;
$sc_sth = $sc_dbh->prepare($sc_SELECT) or die "Couldnt prepare statment:
" . $sc_sth->errstr;
$sc_sth->execute or die "Could not execute SQL statement: " .
$sc_sth->errstr;
if ($sc_sth->rows == 0) {
#bail, shouldnt ever be seen... but just in case...
$sc_sth->finish;
$sc_dbh->disconnect || die "Failed to disconnect from the
Database: " . DBI->errstr;
die "No Sigs in Database";
}
my @rules;
while (@rules = $sc_sth->fetchrow_array) {
#clean out the quotes and trip the whitespaces the db gives back
$rules[1] =~ s/"//g;
$rules[1] =~ s/^\s+//;
$rules[1] =~ s/\s+$//;
print SIDS ("$rules[0] || $rules[1]\n");
}
close (SIDS);
$sc_sth->finish;
$sc_dbh->disconnect || die "Failed to disconnect the Database: " .
DBI->errstr;
- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCkyF/1M5o0FsrrbERAj8PAKCDMDhJKZJblSry7UQPmDm9NrzQvwCeJIKm
AvtbPRwStBvPYFSPOkcpmak=
=LXG6
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
