Date: Tue, 19 Feb 2008 16:04:51 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Shell scripting question - incrementing Message-ID: <E1138610A110F91C9EE578EA@utd59514.utdallas.edu> In-Reply-To: <6.0.0.22.2.20080219123428.02425ec8@mail.computinginnovations.com> References: <B4C4A8D8DF6EFE8801895F53@utd59514.utdallas.edu> <6.0.0.22.2.20080219123428.02425ec8@mail.computinginnovations.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, February 19, 2008 12:41:43 -0600 Derek Ragona
<derek@computinginnovations.com> wrote:
Thanks to all who offered suggestions. Here's a working script that creates
snort rules *and* a sid-msg.map file:
#!/bin/sh
cat file.1 | cut -d',' -f9 | sort | uniq > file.nicks
i=2000002
j=`wc -l file.nicks | awk '{print $1}'`
k=$(( i + j - 1 ))
(read line; echo "alert ip \$HOME_NET any -> \$EXTERNAL_NET any ( sid:2000001;
msg:\" JOIN $line detected\"; classtype:trojan-activity; content:\"JOIN\";
content:$line; rev:1;)"; while read line && [ $i -le $k ]; do echo "alert ip
\$HOME_NET any -> \$EXTERNAL_NET any (sid:$i; msg:\" JOIN $line detected\";
classtype:trojan-activity; content:\"JOIN\"; content:$line; rev:1;)"; i=`expr
$i + 1`; done) < file.nicks > file.rules
cat file.rules | cut -d':' -f2,3 | cut -d';' -f1,2 | sed 's/; msg:/ || /g' >
file-sid-msg.map
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1138610A110F91C9EE578EA>