Snort mailing list archives
Re: Diff'ing rulesets
From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Tue, 8 Jan 2002 17:14:21 +0100
Hi!
Just a small warning, what if somebody has 'broken' a rule
into several lines by adding '\' at the end of lines?
Like:
redalert tcp $EXTERNAL_NET any -> $SSH_AFFECTED 22 \
(msg:"EXPLOIT ssh explicitely kill connection"; \
resp:rst_all; \
classtype:bad-known;)
So may be the third line was changed to
resp:icmp_all
If somebody changes only *part* of (a partial line of!) a rule
the 'diff' catches only this *part* and possibly appends nonsense ?!
Sincerely yours, Stucki
On Tue, Jan 08, 2002 at 10:47:18AM -0500, Andy Wood wrote:
...
diff -b current_mod.rules new.rules | awk '/>/' | \ ...
...
I think this will work.....it worked here.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Diff'ing rulesets Lars Jørgensen IT (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)
- Re: RST.B / EGP Ryan Russell (Jan 08)
- Re: Diff'ing rulesets Wolfgang Rohdewald (Jan 08)
- My ruleset differ/merg0r :-) Edwin Eefting (Jan 08)
- RE: Diff'ing rulesets Andy Wood (Jan 08)
- Re: Diff'ing rulesets Chr. v. Stuckrad (Jan 08)
- RST.B / EGP Ian Cudlip (Jan 08)