Snort mailing list archives
Re: snorcenter2, Base, bleeding rules and sid-msg.map
From: Wes Young <wcyoung () buffalo edu>
Date: Mon, 23 May 2005 16:35:40 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 try this out.. if you run it before you restart snort (or barnyard) it will create a sid-msg.map file from your rules database. I'm not that great of a perl scripter... but it gets the job done.. i call it before i send barnyard a kill -HUP and it re-reads the file... John Hally wrote:
Hello All, I've set up the latest version of snortcenter2 with the rule_combine script working great fetching snort and bleeding snort rules. I did some poking around and it doesn't look like the script handles merging the sid-msg.maps from the two different rulesets. What sid-msg.map is used, the one on the BASE install, snortcenter2 install, or on the sensor(s)? Thanks in advance!
- -- Wes Young Network Security Analyst University at Buffalo GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCkj6c1M5o0FsrrbERApfWAJ4sfKNLW8Qd5i79xIB/jRhENdT1YQCgnBBg WxNp8K5ap7Ed3b8x4Gs8hF4= =L/hs -----END PGP SIGNATURE-----
#!/usr/bin/perl use strict; use DBI; ######################################### # Configurations # ######################################### # Database configs my $sc_server = ''; my $sc_db = ''; my $sc_user = ''; my $sc_pass = ''; my $SIDFILE = "./etc/sid-msg.map"; #/Configs open(SIDS, "> $SIDFILE") or die "Can not open sid file!\n"; my $sc_dbh = DBI->connect("DBI:mysql:$sc_db;$sc_server", $sc_user, $sc_pass) or die "Couldn't connect to database: " . DBI->errstr; my $sc_SELECT = "SELECT sid,msg FROM rules"; my $sc_sth; $sc_sth = $sc_dbh->prepare($sc_SELECT) or die "Couldnt prepare statment: " . $sc_sth->errstr; $sc_sth->execute or die "Could not execute SQL statement: " . $sc_sth->errstr; if ($sc_sth->rows == 0) { #bail, shouldnt ever be seen... but just in case... $sc_sth->finish; $sc_dbh->disconnect || die "Failed to disconnect from the Database: " . DBI->errstr; die "No Sigs in Database"; } my @rules; while (@rules = $sc_sth->fetchrow_array) { #clean out the quotes and trip the whitespaces the db gives back $rules[1] =~ s/"//g; $rules[1] =~ s/^\s+//; $rules[1] =~ s/\s+$//; print SIDS ("$rules[0] || $rules[1]\n"); } close (SIDS); $sc_sth->finish; $sc_dbh->disconnect || die "Failed to disconnect the Database: " . DBI->errstr;
Current thread:
- snorcenter2, Base, bleeding rules and sid-msg.map John Hally (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Joel Esler (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 24)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Joel Esler (May 23)
- Re: snorcenter2, Base, bleeding rules and sid-msg.map Wes Young (May 23)