Tools

September 9th, 2010 Leave a comment Go to comments

Pigsty

Pigsty is a perl script that I wrote while revamping a set of Snort IDS sensors. I’ve used Oinkmaster for many years for managing signature updates and while I know there are a couple of successors to that project, I just haven’t had the time to investigate them. One feature of Pulled_Pork that I did like was the ability to register specific regular expressions for signatures to automatically disable therefore allowing you to tune the current signature set to your install base. I wanted something quick and dirty that I could use with my existing Oinkmaster setup to quickly remove those signatures for technologies not in use (i.e. Novell, Tivoli, etc.). Enter Pigsty. Pigsty will output an Oinkmaster formatted disablesid block of text for all currently active rules whose msg text matches the pattern or regex supplied. Simply review the block for accuracy or, if you’re brave, just have pigsty append the block to your existing oinkmaster.conf file. Pigsty even comments each line with the msg text of the now disabled rule and the rule file it came from.

Requires:

  • Getopt::Long
usage: pigsty.pl -conf <PATH TO SNORT CONF> -rules <PATH TO RULES DIR> (-o <OPTIONAL OUTPUT FILE) -p <SEARCH STRING OR REGEX>

Download Pigsty

  1. No comments yet.
  1. No trackbacks yet.