Whenever I update Snort Rules, the five SID mentioned below gets additional ! before $DNS server which makes SNORT not to start. All these SID are included inside emerging-current_events.rules.
sid:2013353
sid:2013354
sid:2013355
sid:2013358
sid:2013359
so as a work around I have included sed "Serial Editor" along with my snort rules update script as shown below.
root@Bodhidarmar:/store/snort/rules# cat /var/scripts/snort_update.sh
#!/bin/bash
wget -q http://www.snort.org/sub-rules/snortrules-snapshot-xxxx.tar.gz/aaabbbcccdddeeefffggghhhiiijjjkkk -O /store/snort/archive/snortrules-snapshot-xxxx.tar.gz
oinkmaster.pl -o /store/snort/rules/ -Q
echo "Now Running Serial Edit to change the Bang Dollar DNS to Dollar DNS in ET-current_event[DOT]rules"
sed s/\!\$DNS/$DNS/ /store/snort/rules/emerging-current_events.rules > /store/snort/rules/emerging-current_events.rules
Note I have reduced the Font size above as they needs to be on one single line.
sid:2013353
sid:2013354
sid:2013355
sid:2013358
sid:2013359
so as a work around I have included sed "Serial Editor" along with my snort rules update script as shown below.
root@Bodhidarmar:/store/snort/rules# cat /var/scripts/snort_update.sh
#!/bin/bash
wget -q http://www.snort.org/sub-rules/snortrules-snapshot-xxxx.tar.gz/aaabbbcccdddeeefffggghhhiiijjjkkk -O /store/snort/archive/snortrules-snapshot-xxxx.tar.gz
oinkmaster.pl -o /store/snort/rules/ -Q
echo "Now Running Serial Edit to change the Bang Dollar DNS to Dollar DNS in ET-current_event[DOT]rules"
sed s/\!\$DNS/$DNS/ /store/snort/rules/emerging-current_events.rules > /store/snort/rules/emerging-current_events.rules
Note I have reduced the Font size above as they needs to be on one single line.
No comments:
Post a Comment