Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Snort IDS signature parser

by semio (Friar)
on Jun 24, 2002 at 00:50 UTC ( #176657=sourcecode: print w/replies, xml ) Need Help??
Category: Text Processing
Author/Contact Info Dave K,
Description: I wanted to obtain a list of all enabled signatures on a Snort IDS e.g. a listing of sigs contained in all .rules files as well as some general information for each, such as the signature id and signature revision number. I created one large file on the IDS called allrules and wrote this script to present each signature, in a comma-delimited format, as msg, signature id, signature revision number.
#!/usr/bin/perl -w

use strict;

my (@lines, @clean, $sig);
my $allrules = "allrules";
my $pigsigs = "pigsigs";
my $delimiter = ",";

open ALLRULES, $allrules || die "Could not open file: $1\n";
while (<ALLRULES>) {
push (@lines, $_);

foreach $sig (@lines) {
if ($sig =~ /^#/) {
if ($sig =~ (m/(\".*?\")/) ) {
push (@clean,($1, $delimiter));
if ($sig =~ (m/(sid.*?;)/) ) {
push (@clean,($1, $delimiter));
if ($sig =~ (m/(rev:.*?;)/) ) {
push (@clean,($1, "\n"));

foreach (@clean) {
open (PIGSIGS, ">>$pigsigs");
print PIGSIGS $_;
close (PIGSIGS);
Replies are listed 'Best First'.
Re: Snort IDS signature parser
by Anonymous Monk on Nov 03, 2009 at 20:56 UTC
    sweet worked great. thanks!

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://176657]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (5)
As of 2020-10-21 01:26 GMT
Find Nodes?
    Voting Booth?
    My favourite web site is:

    Results (212 votes). Check out past polls.