I wanted to get the msg from a snort alert into the subject line of e-mails generated by swatch. This script will parse a sid-msg.map and will output a swatch config. Yes the code is crap, and swatch eats up about 125meg with the full VRT and bleeding rulesets, but to me it's worth it. Also swatch seems to blow up if there is a # in the watchfor section of the config so those rules are skipped currently it is only skipping two bleeding MoBB rules. If anybody has a better way to do this, or knows of a different tool, I would be very interested to hear from you ;-)
die("Usage: <swatchbuilder.pl> \n") unless(@ARGV);
foreach $file (@ARGV) {
open(SIDMSGMAP, $file) or die( "Cannot open file: $file\n" );
while(<SIDMSGMAP>) {
my @line= split(/\|\|/,$_);
#clean up sid
$line[0] =~ s/\r?\n//;
$line[0] =~ s/^\s+//;
$line[0] =~ s/\s+$//;
#clean up msg
$line[1] =~ s/\r?\n//;
$line[1] =~ s/^\s+//;
$line[1] =~ s/\s+$//;
$line[1] =~ s/([\@\/\+\&;\`'\\\|"-*?#!~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;
#wtf? can swatch not deal with escaped #
if($line[1] =~ m/#/)
{
print "\#badsid $line[0] skipping\n";
}
else
{
print "watchfor = \/$line[1]\/\n";
print "mail=user1\@somwhere.com:user2\@somewhere.com,subject=IDS Alarm --$line[1]--\n";
}
}
close(SIDMSGMAP);
}
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment