change IPS sid

ipssid_order.py

#!/usr/bin/python
import sys
import re

# file descriptors:
fd_rule = open('/media/root/aderno/view/treat/fireeyeman.rules', 'r') # for rule do: swap(sid)
fd_sid = open('/media/root/aderno/view/treat/all_sid_numbers', 'r')   # file that contains available SIDs

# RETURN values handling
ret = True

# Reading each line from OPENDED file descriptors:
while ret:
	rule_line = fd_rule.readline()
	
	# Ensures that capture lines begins with "alert".
	if rule_line.startswith('alert', 0, 5):
		sid_not_used = fd_sid.readline()
		sid_found = re.search(r'sid:\d+;', rule_line)
		print "{} -> sid:{};".format(sid_found.group(), sid_not_used.rstrip())

		# record into the rule file
		#print "{} {}".format(type(sid_found), type(sid_not_used.rstrip()))
		mod_rule = rule_line.replace(sid_found.group(), "sid:{};".format(sid_not_used.rstrip()))
		print mod_rule
		with open('/media/root/aderno/view/treat/blockbitips.rules', 'a') as fd_rec:
			fd_rec.write(mod_rule)
			fd_rec.close()

	# So, ignore the lines that begins with "event_filter"
	elif rule_line.startswith('event_filter', 0, 12):
		next(iter(rule_line))

	# handling EOF
	elif rule_line == "":
		ret = False
		
# CLOSING file descriptors
fd_rule.close()
fd_sid.close()

Public after 8 years