ルールファイルがあります。各行にはsid:numberとrev:numberがあります。
このファイルを更新されたファイルと比較したいのですが、すべての行が更新されるわけではありません。
同じsid:numberを持つ行の1つのrev:numberが高い場合は、それをより高いrev:numberに置き換える必要があります。
これは私が現在行っている状況です。
grep -oP "sid:[0-9]{0,11}; rev:[0-9]{0,3}" all_rules.rules |
while read line; do
if grep -q "$line" /home/path/update_rules.rules; then
echo updated;
else
echo > /dev/null;
fi
done
以下は、all.rulesファイルの例です。
alert udp $HOME_NET any -> any 53 (msg:"ET
TROJAN CopyKittens? Matryoshka DNS Lookup 1 (winupdate64 . com)";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|0b|winupdate64|03|com|00|"; nocase; distance:0; fast_pattern;
reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-
activity; sid:2024495; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"ET
TROJAN CopyKittens? Matryoshka DNS Lookup 2 (twiter-statics . info)";
content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
content:"|0e|twiter|2d|statics|04|info|00|"; nocase; distance:0;
fast_pattern; reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf;
reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-
activity; sid:2024496; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens? Cobalt
Strike DNS Lookup (cloudflare-analyse . com)"; content:"|01 00 00 01 00
00 00 00 00 00|"; depth:10; offset:2;
content:"|12|cloudflare|2d|analyse|03|com|00|"; nocase; distance:0;
fast_pattern; threshold:type limit, track by_src, count 1, seconds 60;
reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf;
reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-
activity; sid:2024497; rev:1;)
以下はupdate.rulesの例です。
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revcode
RAT CnC"; flow:established,to_server; content:"POST"; http_method;
content:".php"; http_uri; content:"keyauth="; http_client_body;
fast_pattern; depth:8; content:"&key="; http_client_body; distance:0;
content:"&uid="; http_client_body; distance:0; content:!"Referer|3a|";
http_header; content:"WinHttpRequest"; http_header; metadata:
former_category TROJAN; reference:md5,3f652d9bc17a4be3c0e497ea19848344;
classtype:trojan-activity; sid:2024500; rev:1; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_07_27,
performance_impact Moderate, updated_at 2017_07_27;)
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens? Matryoshka
DNS Lookup 1 (winupdate64 . com)"; content:"|01 00 00 01 00 00 00 00 00
00|"; depth:10; offset:2; content:"|0b|winupdate64|03|com|00|"; nocase;
distance:0; fast_pattern; reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-
activity; sid:2024495; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Matryoshka DNS
Lookup 2 (twiter-statics . info)"; content:"|01 00 00 01 00 00 00 00 00
00|"; depth:10; offset:2; content:"|0e|twiter|2d|statics|04|info|00|";
nocase; distance:0; fast_pattern; metadata: former_category TROJAN;
reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf;
reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity;
sid:2024496; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_07_25,
malware_family Matryoshka, performance_impact Moderate, updated_at
2017_07_25;)
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Cobalt Strike
DNS Lookup (cloudflare-analyse . com)"; content:"|01 00 00 01 00 00 00 00 00
00|"; depth:10; offset:2; content:"|12|cloudflare|2d|analyse|03|com|00|";
nocase; distance:0; fast_pattern; threshold:type limit, track by_src, count
1, seconds 60; metadata: former_category TROJAN;
reference:url,www.clearskysec.com/wp-
content/uploads/2017/07/Operation_Wilted_Tulip.pdf;
reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity;
sid:2024497; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_07_25,
malware_family CobaltStrike, performance_impact Moderate, updated_at
2017_07_26;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established;
content:"GET"; http_method; content:"/sosdoudou_V3/"; http_uri;
fast_pattern; content:"WinHttp.WinHttpRequest"; http_header;
content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header;
metadata: former_category TROJAN;
reference:md5,98376de10118892f0773617da137c2be
md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity;
sid:2024499; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_07_26,
malware_family Banload, performance_impact Moderate, updated_at 2017_07_26;)
3つの同じ規則がありますが、update.rulessid:2024497には更新リビジョンが含まれています。 all.rulesファイルの古いバージョンをupdate.rulesの最新バージョンルールに置き換えたいと思います。sid:2024496sid:2024495
ベストアンサー1
これは最小限のテストで私に効果的です。
#!/bin/zsh
typeset -A rule sidrev
while read -r line; do
sid=${${line/*sid:/}/;*/}
rev=${${line/*rev:/}/;*/}
if [[ "$rev" -gt "$sidrev[$sid]" ]]; then
sidrev[$sid]="$rev"
rule[$sid]="$line"
fi
done
echo -E ${(F)rule}
スクリプトは stdin から snort ルールを読み込み、読み取ったすべてのルールの最新バージョンを stdout に出力します。