Rule2Alert - Update
The last major update to Rule2Alert was posted in my blog entry (Jan. 26'th). At that point, it could alert on 972 rules within emerging-all.rules. Although this is not a very high number compared to the number of rules located in emerging-all.rules (8251) it is still a decent amount for any administrator to parse through. This tool is becoming more of a QA tool working with Emerging Threats and the Suricata Team (OISF). Some minor updates that have been made:
-No need for a snort.conf anymore, as long as you specify the home_net and external_net variables on the command line via the "-m" and "-e" switches.
This is done by a list of default variables used if no conf is provided.
-Basic User-Agent rule addition
-Basic uricontent rule addition
There is still much to fix, but that will be worked out eventually.
Now, when emerging-all.rules is loaded, the following results:
---
root@ubuntu:~/rule2alert# ../snort-2.8.5.3.sh all_manual.pcap | wc -l
2212
---
There are now 2212 rules that are alerted on when using Rule2Alert. I hope to break 3000 soon and work on being able to determine which rules are bad - not just syntax wise, but by actually crafting the packets.
Also, there is a new example page on the Google Code Page on how exactly to use Rule2Alert.