Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snorcenter2, Base, bleeding rules and sid-msg.map

From: Wes Young <wcyoung () buffalo edu>
Date: Mon, 23 May 2005 16:35:40 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

try this out.. if you run it before you restart snort (or barnyard)
it will create a sid-msg.map file from your rules database. I'm not that
great of a perl scripter... but it gets the job done.. i call it before
i send barnyard a kill -HUP and it re-reads the file...

John Hally wrote:

 

Hello All,

 

I've set up the latest version of snortcenter2 with the rule_combine
script working great fetching snort and bleeding snort rules.  I did
some poking around and it doesn't look like the script handles merging
the sid-msg.maps from the two different rulesets. What sid-msg.map is
used, the one on the BASE install, snortcenter2 install, or on the
sensor(s)?

 

Thanks in advance!



- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCkj6c1M5o0FsrrbERApfWAJ4sfKNLW8Qd5i79xIB/jRhENdT1YQCgnBBg
WxNp8K5ap7Ed3b8x4Gs8hF4=
=L/hs
-----END PGP SIGNATURE-----

#!/usr/bin/perl
use strict;
use DBI;

#########################################
#       Configurations                  #
#########################################

# Database configs
my $sc_server = '';
my $sc_db = '';
my $sc_user = '';
my $sc_pass = '';
my $SIDFILE = "./etc/sid-msg.map";
#/Configs

open(SIDS, "> $SIDFILE") or die "Can not open sid file!\n";
my $sc_dbh = DBI->connect("DBI:mysql:$sc_db;$sc_server", $sc_user, $sc_pass) or die "Couldn't connect to database: " . 
DBI->errstr;
my $sc_SELECT = "SELECT sid,msg FROM rules";

my $sc_sth;
$sc_sth = $sc_dbh->prepare($sc_SELECT) or die "Couldnt prepare statment: " . $sc_sth->errstr;
$sc_sth->execute or die "Could not execute SQL statement: " . $sc_sth->errstr;

if ($sc_sth->rows == 0) {
        #bail, shouldnt ever be seen... but just in case...
        $sc_sth->finish;
        $sc_dbh->disconnect || die "Failed to disconnect from the Database: " . DBI->errstr;
        die "No Sigs in Database";
}

my @rules;
while (@rules = $sc_sth->fetchrow_array) {
        #clean out the quotes and trip the whitespaces the db gives back
        $rules[1] =~ s/"//g;
        $rules[1] =~ s/^\s+//;
        $rules[1] =~ s/\s+$//;
        print SIDS ("$rules[0] || $rules[1]\n");
}

close (SIDS);

$sc_sth->finish;
$sc_dbh->disconnect || die "Failed to disconnect the Database: " . DBI->errstr;
Previous By Date Next
Previous By Thread Next

Current thread: