--On Tuesday, February 19, 2008 12:41:43 -0600 Derek Ragona <[EMAIL PROTECTED]> wrote:

Thanks to all who offered suggestions. Here's a working script that creates snort rules *and* a sid-msg.map file:

#!/bin/sh

cat file.1 | cut -d',' -f9 | sort | uniq > file.nicks

i=2000002
j=`wc -l file.nicks | awk '{print $1}'`
k=$(( i + j - 1 ))

(read line; echo "alert ip \$HOME_NET any -> \$EXTERNAL_NET any ( sid:2000001; msg:\" JOIN $line detected\"; classtype:trojan-activity; content:\"JOIN\"; content:$line; rev:1;)"; while read line && [ $i -le $k ]; do echo "alert ip \$HOME_NET any -> \$EXTERNAL_NET any (sid:$i; msg:\" JOIN $line detected\"; classtype:trojan-activity; content:\"JOIN\"; content:$line; rev:1;)"; i=`expr $i + 1`; done) < file.nicks > file.rules

cat file.rules | cut -d':' -f2,3 | cut -d';' -f1,2 | sed 's/; msg:/ || /g' > file-sid-msg.map

--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to