When it comes to tuning IDS and customizing content for SIM, I definitely take my own medicine, or drink my own kool-aid, as it were.  Today I am working on cleaning up the Snort rules on an IDS sensor.  The rules on this sensor and the others in its group are managed via Oinkmaster.  The down side to this is that researching rules and writing Oinkmaster directives can be slow and tedious.  But here's some ugly shell script that makes it go faster.
In this example, I have decided that all of the rules related to Microsoft bulletins from 2003 do not apply to me because of patching.  This script lets me isolate sid values from rules that contain the string "bulletins/MS03-" and put them into one big comma-delimted line for pasting into my oinkmaster.conf file.
$ for b in `for a in 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do grep bulletin/MS03- *.rules | cut -d\; -f$a |grep sid; done | cut -d: -f2`; do echo -n $b,; done; echo
2253,3192,2133,2001302,2257,4822,4823,4754,4755,4824,4825,8694,8689,8690,8693,4757,4756,9021,9023,9610,9609,8696,8699,8697,8698,9608,9603,9606,9601,9602,9607,8691,8692,8688,8695,9026,9025,9618,9617,8067,8066,9022,9024,9600,9612,9614,9611,9616,9599,9615,9613,9605,9597,9598,9595,9604,9596,9423,9422,2258,4764,4797,4793,4796,4792,4761,4760,4765,3419,3412,3420,4772,4801,4805,4776,4800,4773,4768,4777,4809,4804,4813,4808,4781,4769,4812,4780,8614,8618,8616,8612,8613,4791,4758,4763,4790,4759,4795,4762,4794,8946,8972,8943,8945,8944,8970,8965,8969,
If I want to be extra anal about it and only find those sid values for rules that aren't already disabled, I can use egrep to do this:
$ for b in `for a in 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30; do egrep ^alert *.rules |grep bulletin/MS03- | cut -d\; -f$a |grep sid; done | cut -d: -f2`; do echo -n $b,; done; echo
2253,3192,2257,4822,4823,4754,4755,4824,482,8694,8690,9610,9609,8699,8697,9608,9603,9606,9601,9602,9607,8692,8695,9618,9617,8067,8066,9600,9612,9614,9611,9616,9599,9615,9613,2258,4764,4797,4793,4796,4792,4761,4760,4765,3419,3412,3420,4772,4801,4805,4800,4773,4768,4804,4769,8614,8618,8616,8612,8613,4791,4758,4763,4790,4759,4795,4762,4794,8946,8972,8943,8945,8944,8970,8965,8969,
And finally, here's some ugly shell script that will count up all of your active rules.  There's a way to do this while running Snort from the command-line as well.
$ for a in `egrep ^include /etc/snort/snort.conf |cut -d/ -f2 |grep \.rules`; do egrep ^alert $a; done |wc -l
3473
 
 
No comments:
Post a Comment