Snort mailing list archives
New tool: unlimited.py
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sun, 9 Mar 2014 00:20:44 -0500
First and foremost, if I am abusing snort-users mailing list communication, please be so kind as to inform me. Some of you who troll the mailing list may be familiar with a set of scripts I released some time ago called "Autosnort". Autosnort is alive, healthy and I'm still actively maintaining and improving it, but that's not the point of this message. Today I launched another tool called unlimited.py https://github.com/da667/unlimited Unlimited is a simple python script that when provided with csv data that includes a Generator ID (GID), a SID (Snort Rule ID), the filter type (threshold, limit, or both), what to track by (src or dst), number of events (count), and time (in seconds) it will generate event_filter lines for you. Example: 1,2801,limit,src,1,3600 results in.... event_filter gen_id 1, sig_id 2801, type limit, track by_src, count 1, seconds 3600 in plain english: "for rule 1:2801, limit the number of events generated to only 1 event per hour, tracked by each unique source IP address triggering this rule." You can then take the file generated and, using an include statement, include it in snort.conf, much the same way include is used to tell snort where the rule files are located. e.g.: include /path/to/your/event_limit.conf or whatever you chose to name the config file. The script contains some very simple error checking, in that if a line contains less than 6 or more than 6 values, it will notify you, tell you which line caused the problem, and then continue processing your csv file. This includes blank lines in your csv file. However, the script will NOT validate you input proper values into the csv that will make syntactically correct event_filter statements. So if you include a header in your csv file, unlimited will parse it, but will NOT syntactically check that it produced a valid event_filter statement. Put simply: No headers, and no Blank lines! I've included a sample file, test.csv that includes two valid entries so you can see an example of the format the script expects. Feel free to use autosnort or unlimited as you see fit. I'm always receptive to feedback, good or bad, so if you have praise, problems, bugs, questions, feel free to contact me. My contact information should be all over my github repos and if not, at the very least, you now have my e-mail address. Cheers, DA_667 -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New tool: unlimited.py Tony Robinson (Mar 08)