Last active
June 29, 2023 06:27
-
-
Save warewolf/8293091 to your computer and use it in GitHub Desktop.
Export rules from an exported SourceFire policy object (tested on 4.10 series sensors). Uses my perl module for parsing and rendering Snort rules, Parse::Snort.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| # vim: ts=4 sw=2 syntax=perl | |
| # | |
| # SourceFire object export rule dumper | |
| # (C) Richard Harman <[email protected]> | |
| # | |
| # Usage: | |
| # | |
| # Export an Intrusion policy from your SourceFire sensor/defence center | |
| # This will create a file like this: | |
| # ObjectExport_20130522215800.sfo | |
| # | |
| # It's a tar.gz file, containing Object.txt. | |
| # $ tar -zxvf ObjectExport_20130522215800.sfo | |
| # | |
| # Then run this script against Object.txt | |
| # perl sfexport_rules.pl Object.txt > rules.rules | |
| # | |
| use warnings; | |
| use strict; | |
| use Storable; | |
| use Parse::Snort; | |
| my $filename = shift @ARGV; | |
| my $hashref = retrieve($filename) or die "Couldn't open $filename for reading! ($!)"; | |
| while ( my ( $key, $ref ) = each %$hashref ) { | |
| next unless ( $key eq "object_index" ); | |
| while ( my ( $uuid, $uuid_ref ) = each %$ref ) { | |
| while ( my ( $obj, $obj_ref ) = each %$uuid_ref ) { | |
| next unless $obj_ref->{type} eq "IDSRule"; | |
| my $data = $obj_ref->{data}; | |
| # sourcefire uses arrays of hashes, Parse::Snort uses arrays of arrays. Convert | |
| my (@opts) = map { [ %$_ ] } @{ $data->{opt_array} }; | |
| my $rule = Parse::Snort->new( { | |
| 'action' => $data->{action}, | |
| 'proto' => $data->{proto}, | |
| 'src' => $data->{sip}, | |
| 'src_port' => $data->{sport}, | |
| 'direction' => $data->{diroperator}, | |
| 'dst' => $data->{dip}, | |
| 'dst_port' => $data->{dport}, | |
| 'opts' => \@opts, } | |
| ); | |
| print $rule->as_string, "\n"; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Tried this, but the rules.rules file is empty, 0 bytes. I exported only one IPS policy, extracted it using tar -zxvf, etc. The Object.txt file begins with the characters pst0, followed by non-printable characters mixed in with normal characters. The non-printable characters show up only in the terminal, not a text editor. I'm using a MacBook running High Sierra. Possibly a formatting issue in the text file?