diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/snort/bin/oinkmaster_contrib/README.contrib | 84 | ||||
-rw-r--r-- | config/snort/bin/oinkmaster_contrib/create-sidmap.pl | 280 |
2 files changed, 0 insertions, 364 deletions
diff --git a/config/snort/bin/oinkmaster_contrib/README.contrib b/config/snort/bin/oinkmaster_contrib/README.contrib deleted file mode 100644 index 6923fa26..00000000 --- a/config/snort/bin/oinkmaster_contrib/README.contrib +++ /dev/null @@ -1,84 +0,0 @@ -# $Id: README.contrib,v 1.21 2005/10/18 10:41:20 andreas_o Exp $ # - -------------------------------------------------------------------------------- -* oinkgui.pl by Andreas Östling <andreaso@it.su.se> - - A graphical front-end to Oinkmaster written in Perl/Tk. - See README.gui for complete documentation. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* addsid.pl by Andreas Östling <andreaso@it.su.se> - - A script that parses *.rules in all specified directories and adds a - SID to (active) rules that don't have any. (Actually, rev and classtype - are also added if missing, unless you edit addsid.pl and tune this.) The - script first looks for the current highest SID (even in inactive rules) - and starts at the next one, unless this value is below MIN_SID (defined - inside addsid.pl). By default, this value is set to 1000001 since this - is the lowest SID assigned for local usage. Handles multi-line rules. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* create-sidmap.pl by Andreas Östling <andreaso@it.su.se> - - A script that parses all active rules in *.rules in all specified - directories and creates a SID map. (Like Snort's regen-sidmap, but this - one handles multi-line rules.) Result goes to standard output which can - be redirected to a sid-msg.map file. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* makesidex.pl, originally by Jerry Applebaum but later rewritten by - Andreas Östling <andreaso@it.su.se> to handle multi-line rules and - multiple rules directories. - - It reads *.rules in all specified directories, looks for all disabled - rules and prints a "disablesid <sid> # <msg>" line for each disabled rule. - The output can be appended to oinkmaster.conf. - Useful to new Oinkmaster users. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* addmsg.pl by Andreas Östling <andreaso@it.su.se>: - - A script that will parse your oinkmaster.conf for - localsid/enablesid/disablesid lines and add their rule message as a #comment. - If your oinkmaster.conf looks like this before addmsg.pl has been run: - - disablesid 286 - disablesid 287 - disablesid 288 - - It will look something like this afterward: - - disablesid 286 # POP3 EXPLOIT x86 bsd overflow - disablesid 287 # POP3 EXPLOIT x86 bsd overflow - disablesid 288 # POP3 EXPLOIT x86 linux overflow - - addmsg.pl will not touch lines that already has a comment in them. - It's not able to handle SID lists when written like this: - disablesid 1,2,3, ... - But it should handle them if written like this: - disablesid \ - 1, \ - 2, \ - 3 - - The new config file will be printed to standard output, so you - probably want to redirect the output to a file, for example: - - ./addmsg.pl oinkmaster.conf rules/ > oinkmaster.conf.new - - If oinkmaster.conf.new looks ok, simply rename it to oinkmaster.conf. - Do NOT redirect to the same file you read from, as this will destroy - that file. -------------------------------------------------------------------------------- diff --git a/config/snort/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort/bin/oinkmaster_contrib/create-sidmap.pl deleted file mode 100644 index 26a9040c..00000000 --- a/config/snort/bin/oinkmaster_contrib/create-sidmap.pl +++ /dev/null @@ -1,280 +0,0 @@ -#!/usr/local/bin/perl -w - -# $Id: create-sidmap.pl,v 1.21 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use strict; - -sub get_next_entry($ $ $ $ $ $); -sub parse_singleline_rule($ $ $); - -# Files to ignore. -my %skipfiles = ( - 'deleted.rules' => 1, -); - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - -my $USAGE = << "RTFM"; - -Parse active rules in *.rules in one or more directories and create a SID -map. Result is sent to standard output, which can be redirected to a -sid-msg.map file. - -Usage: $0 <rulesdir> [rulesdir2, ...] - -RTFM - -my $verbose = 1; - -my (%sidmap, %config); - -my @rulesdirs = @ARGV; - -die($USAGE) unless ($#rulesdirs > -1); - -$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; - -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - - -# Read in all rules from each rules file (*.rules) in each rules dir. -# into %sidmap. -foreach my $rulesdir (@rulesdirs) { - opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); - - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - next if ($skipfiles{$file}); - - open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); - my @file = <FILE>; - close(FILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - if (defined($single)) { - - warn("WARNING: duplicate SID: $sid (discarding old)\n") - if (exists($sidmap{$sid})); - - $sidmap{$sid} = "$sid || $msg"; - - # Print all references. Borrowed from Brian Caswell's regen-sidmap script. - my $ref = $single; - while ($ref =~ s/(.*)reference\s*:\s*([^\;]+)(.*)$/$1 $3/) { - $sidmap{$sid} .= " || $2" - } - - $sidmap{$sid} .= "\n"; - } - } - } -} - -# Print results. -foreach my $sid (sort { $a <=> $b } keys(%sidmap)) { - print "$sidmap{$sid}"; -} - - - -# Same as in oinkmaster.pl. -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - } else { # non-rule line - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid or msg?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# Same as in oinkmaster.pl. -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; - } else { - return (0); - } - - return (1); - } - - return (0); -} |