[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] getting to know your Snort signatures
From:       jswan <sanjuanswan () gmail ! com>
Date:       2013-03-26 22:59:55
Message-ID: a121252e-14f5-4548-95f8-3f5d4b36a53f () googlegroups ! com
[Download RAW message or body]

I'm still learning how the whole Snort/Sguil/etc ecosystem works in SO, so I created \
a couple of aliases to help me explore the signatures:

alias showenabled='grep -v "^#" /etc/nsm/rules/downloaded.rules | grep -o -P \
"msg:\".*?\"" | sed "s/msg:\|\"//g" | sort'

alias showdisabled='grep "^#" /etc/nsm/rules/downloaded.rules | grep -o -P \
"msg:\".*?\"" | sed "s/msg:\|\"//g" | sort'

This allows me to quickly browse through enabled or disabled signatures in a fairly \
readable format.

> find all enabled GPL signatures
$showenabled | grep GPL | less
GPL ATTACK_RESPONSE command completed
GPL ATTACK_RESPONSE command error
GPL ATTACK_RESPONSE del attempt
GPL ATTACK_RESPONSE directory listing
etc.

> find all the subcategories of enabled Emerging Threats signatures
$showenabled | grep ^ET | cut -d ' ' -f 2 | uniq
ATTACK_RESPONSE
CHAT
CIARMY
CNC
COMPROMISED
CURRENT_EVENTS
DELETED
DNS
etc.

If there's a better way to do this, please reply. Otherwise, maybe this will help \
someone else.

Jay

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion?hl=en-US. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]