snortsidconv.sh

#!/bin/bash
# 2006/10/11 authored by cross@ssorc.tw
# snortsidconv.sh
# 根據 doc/signatures中的 txt說明,
# 將 impact是 Serious及 Severe的 sid收集起來，
# 交給 oinkmaster把 alert轉換成 drop
#
# ChangeLog: 2007/05/05 Add bad-traffic.rules for DROP_RULES_BYSELF
#                       fixed some DIR
# ChangeLog: 2007/03/27 add virus.rules for DROP_RULES_BYSELF
#                       fixed echo "url=$SNORT_DL_URL/$SNORT_RULES_FILE" >> $OINK_CONF
# ChangeLog: 2007/01/24 fixed 直接定義必要的內容 for oinkmaster.conf
#                       而 rename舊的 oinkmaster.conf TO oinkmaster.conf-`date +%F.%S`
# ChangeLog: 2006/12/21 fixed
set -x
export LANG=C

SNORT_DL_URL="http://localhost/snortrules"
#SNORT_DL_URL="http://www.snort.org/pub-bin/oinkmaster.cgi"
DROP_RULES_BYSELF="attack-responses.rules, backdoor.rules, bad-traffic.rules, ddos.rules, dos.rules, icmp.rules, other-ids.rules, p2p.rules, scan.rules, viru
s.rules"
OINK_CONF=/etc/oinkmaster.conf
OINK_CODE="97c2bc52f304b7590abb41b2fa1e5825c6396b6f"
SNORT_RULES_FILE=snortrules-snapshot-2.4.tar.gz
SNORT_RULES_DIR_TMP=/var/www/html/snortrulestmp

[ -d $SNORT_RULES_DIR_TMP ] || mkdir $SNORT_RULES_DIR_TMP
cd $SNORT_RULES_DIR_TMP
[ -f $SNORT_RULES_FILE ] && rm -r doc rules so_rules impact* $SNORT_RULES_FILE

# Download rules from www.snort.org
#wget $SNORT_DL_URL/$OINK_CODE/$SNORT_RULES_FILE
# Download rules from others
wget $SNORT_DL_URL/$SNORT_RULES_FILE

tar zxf $SNORT_RULES_FILE

cd doc/signatures
grep "Serious." *.txt | cut -d'x' -f1 | sed 's/105-4//' | sed 's/3-7196//' | sed 's/3-8351//' | grep ^[0-9] > impact-Serious.sid
grep "Severe." *.txt | cut -d'x' -f1 > impact-Severe.sid
cat impact-Serious.sid impact-Severe.sid >> impact-all.sid
cat impact-all.sid | sed 's/.t/,/' | tr -d "
" > impact-all.sid.tmp
cat impact-all.sid.tmp | sed -e 's/^/modifysid /' -e 's/,$/ "^alert" | "drop"/' > impact-sid.oinkmaster

mv impact* ../../
cd ../../

[ -f $OINK_CONF ] && mv $OINK_CONF $OINK_CONF-`date +%F.%S`
echo "path = /bin:/usr/bin:/usr/local/bin" >> $OINK_CONF
echo "" >> $OINK_CONF
echo "update_files = .rules$|.config$|.conf$|.txt$|.map$" >> $OINK_CONF
echo "" >> $OINK_CONF
echo "# Download rules from http" >> $OINK_CONF
echo "url=$SNORT_DL_URL/$SNORT_RULES_FILE" >> $OINK_CONF
echo "" >> $OINK_CONF
echo "# Drop all sids of one rule by self" >> $OINK_CONF
echo "modifysid $DROP_RULES_BYSELF "^alert" | "drop"" >>  $OINK_CONF
echo "" >> $OINK_CONF
echo "# Drop some impact sids with serious and severe" >> $OINK_CONF
cat impact-sid.oinkmaster >> $OINK_CONF

# END