snort-rule 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
data/LICENSE.txt ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 Chris Lee, PhD
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,19 @@
1
+ = snort-rule
2
+
3
+ Description goes here.
4
+
5
+ == Contributing to snort-rule
6
+
7
+ * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
8
+ * Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
9
+ * Fork the project
10
+ * Start a feature/bugfix branch
11
+ * Commit and push until you are happy with your contribution
12
+ * Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
13
+ * Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
14
+
15
+ == Copyright
16
+
17
+ Copyright (c) 2011 Chris Lee, PhD. See LICENSE.txt for
18
+ further details.
19
+
data/bin/snortrule ADDED
@@ -0,0 +1,68 @@
1
+ #!/usr/bin/env ruby
2
+ # DESCRIPTION: generates and parses snort rules
3
+ begin
4
+ require 'snort-rule'
5
+ rescue LoadError
6
+ require 'rubygems'
7
+ require 'snort-rule'
8
+ end
9
+
10
+ require 'getoptlong'
11
+
12
+ def usage
13
+ puts "Usage: #{$0} [-h] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
14
+ puts "-h This text."
15
+ puts "-a <action> alert, log, pass, ... : alert"
16
+ puts "-p <protocol> ip, udp, tcp, ... : ip"
17
+ puts "-s <srcip> dotted quad IP address : any"
18
+ puts "-x <srcport> port number : any"
19
+ puts "-w <direction> ->, <-, or <> : ->"
20
+ puts "-d <dstip> dotted quad IP address : any"
21
+ puts "-c <dstport> port number : any"
22
+ puts "-o <key:value> option/value pairs, specify multiple times for multiple options"
23
+ exit
24
+ end
25
+
26
+ opts = GetoptLong.new(
27
+ [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
28
+ [ '--action', '-a', GetoptLong::REQUIRED_ARGUMENT ],
29
+ [ '--proto', '-p', GetoptLong::REQUIRED_ARGUMENT ],
30
+ [ '--src', '-s', GetoptLong::REQUIRED_ARGUMENT ],
31
+ [ '--sport', '-x', GetoptLong::REQUIRED_ARGUMENT ],
32
+ [ '--dir', '-w', GetoptLong::REQUIRED_ARGUMENT ],
33
+ [ '--dst', '-d', GetoptLong::REQUIRED_ARGUMENT ],
34
+ [ '--dport', '-c', GetoptLong::REQUIRED_ARGUMENT ],
35
+ [ '--opts', '-o', GetoptLong::REQUIRED_ARGUMENT ]
36
+ )
37
+
38
+ rule = Snort::Rule.new
39
+ opts.each do |opt, arg|
40
+ case opt
41
+ when '--help'
42
+ usage
43
+ when '--action'
44
+ rule.action = arg
45
+ when '--proto'
46
+ rule.proto = arg
47
+ when '--src'
48
+ rule.src = arg
49
+ when '--sport'
50
+ rule.sport = arg.to_i
51
+ when '--dir'
52
+ rule.dir = arg
53
+ when '--dst'
54
+ rule.dst = arg
55
+ when '--dport'
56
+ rule.dport = arg.to_i
57
+ when '--opts'
58
+ if arg =~ /(.+?)\s*[=:]\s*(.+)/
59
+ rule.opts[$1] = $2
60
+ else
61
+ rule.opts[arg] = true
62
+ end
63
+ else
64
+ usage
65
+ end
66
+ end
67
+
68
+ puts rule.to_s
@@ -0,0 +1,52 @@
1
+ # Generates and parses snort rules
2
+ #
3
+ # Author:: Chris Lee (mailto:rubygems@chrislee.dhs.org)
4
+ # Copyright:: Copyright (c) 2011 Chris Lee
5
+ # License:: Distributes under the same terms as Ruby
6
+ module Snort
7
+ # This class stores and generates the features of a snort rule
8
+ class Rule
9
+ attr_accessor :action, :proto, :src, :sport, :dir, :dst, :dport, :opts
10
+
11
+ def initialize(kwargs={})
12
+ @action = kwargs[:action] || 'alert'
13
+ @proto = kwargs[:proto] || 'IP'
14
+ @src = kwargs[:src] || 'any'
15
+ @sport = kwargs[:sport] || 'any'
16
+ @dir = kwargs[:dir] || '->'
17
+ @dst = kwargs[:dst] || 'any'
18
+ @dport = kwargs[:dport] || 'any'
19
+ @opts = kwargs[:opts] || {}
20
+ end
21
+
22
+ # Output the current object into a snort rule
23
+ def to_s(options_only=false)
24
+ rule = ""
25
+ rule = [@action, @proto, @src, @sport, @dir, @dst, @dport, '( '].join(" ") unless options_only
26
+ opts.keys.sort.each do |k|
27
+ rule += k if opts[k];
28
+ unless opts[k] == true
29
+ rule += ":#{opts[k]}"
30
+ end
31
+ rule += "; "
32
+ end
33
+ rule += ")" unless options_only
34
+ rule
35
+ end
36
+
37
+ # Parse a snort rule to generate an object
38
+ def Rule::parse(string)
39
+ rule = Snort::Rule.new
40
+ rulepart, optspart = string.split(/\s*\(\s*/,2)
41
+ rule.action, rule.proto, rule.src, rule.sport, rule.dir, rule.dst, rule.dport = rulepart.split(/\s+/)
42
+ rule.opts = Hash[optspart.gsub(/;\s*\).*$/,'').split(/\s*;\s*/).map { |x|
43
+ if x =~ /(.*?):(.*)/
44
+ x.split(/:/,2)
45
+ else
46
+ [x,true]
47
+ end
48
+ }]
49
+ rule
50
+ end
51
+ end
52
+ end
data/lib/snort-rule.rb ADDED
@@ -0,0 +1 @@
1
+ require 'snort-rule/base'
data/test/helper.rb ADDED
@@ -0,0 +1,18 @@
1
+ require 'rubygems'
2
+ require 'bundler'
3
+ begin
4
+ Bundler.setup(:default, :development)
5
+ rescue Bundler::BundlerError => e
6
+ $stderr.puts e.message
7
+ $stderr.puts "Run `bundle install` to install missing gems"
8
+ exit e.status_code
9
+ end
10
+ require 'test/unit'
11
+ require 'shoulda'
12
+
13
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
14
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
15
+ require 'snort-rule'
16
+
17
+ class Test::Unit::TestCase
18
+ end
@@ -0,0 +1,25 @@
1
+ require 'helper'
2
+
3
+ class TestSnortRule < Test::Unit::TestCase
4
+ should "constructor should set all the parameters and generate the correct rule" do
5
+ rule = Snort::Rule.new({:action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
6
+ assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
7
+ end
8
+
9
+ should "construct a default rule and update each member to generate the correct rule" do
10
+ rule = Snort::Rule.new
11
+ rule.action = 'pass'
12
+ rule.proto = 'udp'
13
+ rule.src = '192.168.0.1'
14
+ rule.dir = '<>'
15
+ rule.dport = 53
16
+ rule.opts['sid'] = 48
17
+ rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
18
+ assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
19
+ end
20
+
21
+ should "parse an existing rule and generate the same rule" do
22
+ rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )")
23
+ assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
24
+ end
25
+ end
data.tar.gz.sig ADDED
@@ -0,0 +1,2 @@
1
+ �O��+�Ǿ=B$vB�ul�f4�+�*mQ'��/�$ �|7������3�`^ؙ�����qO��"���z����n��)�f�*��HZ�1o�p����X����{��f�#�ȡ�%�ګ͹�p+���!@<�b�a�CC�BQ]��ժ�sIU�ɭ,�5X����D���
2
+ 9�J?�%�Zv�u��w
metadata ADDED
@@ -0,0 +1,156 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: snort-rule
3
+ version: !ruby/object:Gem::Version
4
+ hash: 27
5
+ prerelease:
6
+ segments:
7
+ - 0
8
+ - 1
9
+ - 0
10
+ version: 0.1.0
11
+ platform: ruby
12
+ authors:
13
+ - Chris Lee
14
+ autorequire:
15
+ bindir: bin
16
+ cert_chain:
17
+ - |
18
+ -----BEGIN CERTIFICATE-----
19
+ MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
20
+ Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
21
+ ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
22
+ NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
23
+ aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
24
+ ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
25
+ vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
26
+ ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
27
+ IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
28
+ ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
29
+ Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
30
+ PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
31
+ RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
32
+ OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
33
+ W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
34
+ hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
35
+ AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
36
+ /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
37
+ 6yhklP75
38
+ -----END CERTIFICATE-----
39
+
40
+ date: 2011-03-07 00:00:00 -05:00
41
+ default_executable: snortrule
42
+ dependencies:
43
+ - !ruby/object:Gem::Dependency
44
+ version_requirements: &id001 !ruby/object:Gem::Requirement
45
+ none: false
46
+ requirements:
47
+ - - ">="
48
+ - !ruby/object:Gem::Version
49
+ hash: 3
50
+ segments:
51
+ - 0
52
+ version: "0"
53
+ requirement: *id001
54
+ prerelease: false
55
+ name: shoulda
56
+ type: :development
57
+ - !ruby/object:Gem::Dependency
58
+ version_requirements: &id002 !ruby/object:Gem::Requirement
59
+ none: false
60
+ requirements:
61
+ - - ~>
62
+ - !ruby/object:Gem::Version
63
+ hash: 23
64
+ segments:
65
+ - 1
66
+ - 0
67
+ - 0
68
+ version: 1.0.0
69
+ requirement: *id002
70
+ prerelease: false
71
+ name: bundler
72
+ type: :development
73
+ - !ruby/object:Gem::Dependency
74
+ version_requirements: &id003 !ruby/object:Gem::Requirement
75
+ none: false
76
+ requirements:
77
+ - - ~>
78
+ - !ruby/object:Gem::Version
79
+ hash: 7
80
+ segments:
81
+ - 1
82
+ - 5
83
+ - 2
84
+ version: 1.5.2
85
+ requirement: *id003
86
+ prerelease: false
87
+ name: jeweler
88
+ type: :development
89
+ - !ruby/object:Gem::Dependency
90
+ version_requirements: &id004 !ruby/object:Gem::Requirement
91
+ none: false
92
+ requirements:
93
+ - - ">="
94
+ - !ruby/object:Gem::Version
95
+ hash: 3
96
+ segments:
97
+ - 0
98
+ version: "0"
99
+ requirement: *id004
100
+ prerelease: false
101
+ name: rcov
102
+ type: :development
103
+ description: arses and generates Snort rules similar to PERL's Snort::Rule
104
+ email: rubygems@chrislee.dhs.org
105
+ executables:
106
+ - snortrule
107
+ extensions: []
108
+
109
+ extra_rdoc_files:
110
+ - LICENSE.txt
111
+ - README.rdoc
112
+ files:
113
+ - bin/snortrule
114
+ - lib/snort-rule.rb
115
+ - lib/snort-rule/base.rb
116
+ - LICENSE.txt
117
+ - README.rdoc
118
+ - test/helper.rb
119
+ - test/test_snort-rule.rb
120
+ has_rdoc: true
121
+ homepage: https://rubygems.org/gems/snort-rule
122
+ licenses:
123
+ - MIT
124
+ post_install_message:
125
+ rdoc_options: []
126
+
127
+ require_paths:
128
+ - lib
129
+ required_ruby_version: !ruby/object:Gem::Requirement
130
+ none: false
131
+ requirements:
132
+ - - ">="
133
+ - !ruby/object:Gem::Version
134
+ hash: 3
135
+ segments:
136
+ - 0
137
+ version: "0"
138
+ required_rubygems_version: !ruby/object:Gem::Requirement
139
+ none: false
140
+ requirements:
141
+ - - ">="
142
+ - !ruby/object:Gem::Version
143
+ hash: 3
144
+ segments:
145
+ - 0
146
+ version: "0"
147
+ requirements: []
148
+
149
+ rubyforge_project:
150
+ rubygems_version: 1.6.1
151
+ signing_key:
152
+ specification_version: 3
153
+ summary: Class for parsing and generating Snort Rules
154
+ test_files:
155
+ - test/helper.rb
156
+ - test/test_snort-rule.rb
metadata.gz.sig ADDED
Binary file