snort-rule 0.1.0

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Chris Lee, PhD
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,19 @@
+= snort-rule
+
+Description goes here.
+
+== Contributing to snort-rule
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Chris Lee, PhD. See LICENSE.txt for
+further details.
+

data/bin/snortrule

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+# DESCRIPTION: generates and parses snort rules
+begin
+	require 'snort-rule'
+rescue LoadError
+	require 'rubygems'
+	require 'snort-rule'
+end
+
+require 'getoptlong'
+
+def usage
+	puts "Usage: #{$0} [-h] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
+	puts "-h             This text."
+	puts "-a <action>    alert, log, pass, ... : alert"
+	puts "-p <protocol>  ip, udp, tcp, ... : ip"
+	puts "-s <srcip>     dotted quad IP address : any"
+	puts "-x <srcport>   port number : any"
+	puts "-w <direction> ->, <-, or <> : ->"
+	puts "-d <dstip>     dotted quad IP address : any"
+	puts "-c <dstport>   port number : any"
+	puts "-o <key:value> option/value pairs, specify multiple times for multiple options"
+	exit
+end
+
+opts = GetoptLong.new(
+	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+	[ '--action', '-a', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--proto', '-p', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--src', '-s', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--sport', '-x', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--dir', '-w', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--dst', '-d', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--dport', '-c', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--opts', '-o', GetoptLong::REQUIRED_ARGUMENT ]
+)
+
+rule = Snort::Rule.new
+opts.each do |opt, arg|
+	case opt
+	when '--help'
+		usage
+	when '--action'
+		rule.action = arg
+	when '--proto'
+		rule.proto = arg
+	when '--src'
+		rule.src = arg
+	when '--sport'
+		rule.sport = arg.to_i
+	when '--dir'
+		rule.dir = arg
+	when '--dst'
+		rule.dst = arg
+	when '--dport'
+		rule.dport = arg.to_i
+	when '--opts'
+		if arg =~ /(.+?)\s*[=:]\s*(.+)/
+			rule.opts[$1] = $2
+		else
+			rule.opts[arg] = true
+		end
+	else
+		usage
+	end
+end
+
+puts rule.to_s

data/lib/snort-rule/base.rb

@@ -0,0 +1,52 @@
+# Generates and parses snort rules
+#
+# Author::    Chris Lee  (mailto:rubygems@chrislee.dhs.org)
+# Copyright:: Copyright (c) 2011 Chris Lee
+# License::   Distributes under the same terms as Ruby
+module Snort
+	# This class stores and generates the features of a snort rule
+	class Rule
+		attr_accessor :action, :proto, :src, :sport, :dir, :dst, :dport, :opts
+		
+		def initialize(kwargs={})
+			@action = kwargs[:action] || 'alert'
+			@proto = kwargs[:proto] || 'IP'
+			@src = kwargs[:src] || 'any'
+			@sport = kwargs[:sport] || 'any'
+			@dir = kwargs[:dir] || '->'
+			@dst = kwargs[:dst] || 'any'
+			@dport = kwargs[:dport] || 'any'
+			@opts = kwargs[:opts] || {}
+		end
+		
+		# Output the current object into a snort rule
+		def to_s(options_only=false)
+			rule = ""
+			rule = [@action, @proto, @src, @sport, @dir, @dst, @dport, '( '].join(" ") unless options_only
+			opts.keys.sort.each do |k|
+				rule += k if opts[k];
+				unless opts[k] == true
+					rule += ":#{opts[k]}"
+				end
+				rule += "; "
+			end
+			rule += ")" unless options_only
+			rule
+		end
+		
+		# Parse a snort rule to generate an object
+		def Rule::parse(string)
+			rule = Snort::Rule.new
+			rulepart, optspart = string.split(/\s*\(\s*/,2)
+			rule.action, rule.proto, rule.src, rule.sport, rule.dir, rule.dst, rule.dport = rulepart.split(/\s+/)
+			rule.opts = Hash[optspart.gsub(/;\s*\).*$/,'').split(/\s*;\s*/).map { |x| 
+				if x =~ /(.*?):(.*)/
+					x.split(/:/,2)
+				else
+					[x,true]
+				end
+			}]
+			rule
+		end
+	end
+end

data/lib/snort-rule.rb

@@ -0,0 +1 @@
+require 'snort-rule/base'

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'snort-rule'
+
+class Test::Unit::TestCase
+end

data/test/test_snort-rule.rb

@@ -0,0 +1,25 @@
+require 'helper'
+
+class TestSnortRule < Test::Unit::TestCase
+	should "constructor should set all the parameters and generate the correct rule" do
+		rule = Snort::Rule.new({:action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
+		assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	end
+
+	should "construct a default rule and update each member to generate the correct rule" do
+		rule = Snort::Rule.new
+		rule.action = 'pass'
+		rule.proto = 'udp'
+		rule.src = '192.168.0.1'
+		rule.dir = '<>'
+		rule.dport = 53
+		rule.opts['sid'] = 48
+		rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
+		assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	end
+
+	should "parse an existing rule and generate the same rule" do
+		rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )")
+		assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	end
+end

data.tar.gz.sig

@@ -0,0 +1,2 @@
+�O��+�Ǿ=B$vB�ul�f4�+�*mQ'��/�$ �|7������3�`^ؙ�����qO��"���z����n��)�f�*��HZ�1o�p����X����{��f�#�ȡ�%�ګ͹�p+���!@<�b�a�CC�BQ]��ժ�sIU�ɭ,�5X����D���
+9�J?�%�Zv�u��w

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification 
+name: snort-rule
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Chris Lee
+autorequire: 
+bindir: bin
+cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
+  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
+  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
+  NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
+  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
+  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
+  vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
+  ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
+  IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
+  ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
+  Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
+  PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
+  RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
+  OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
+  W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
+  hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
+  AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
+  /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
+  6yhklP75
+  -----END CERTIFICATE-----
+
+date: 2011-03-07 00:00:00 -05:00
+default_executable: snortrule
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id001
+  prerelease: false
+  name: shoulda
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  requirement: *id002
+  prerelease: false
+  name: bundler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 1
+        - 5
+        - 2
+        version: 1.5.2
+  requirement: *id003
+  prerelease: false
+  name: jeweler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id004
+  prerelease: false
+  name: rcov
+  type: :development
+description: arses and generates Snort rules similar to PERL's Snort::Rule
+email: rubygems@chrislee.dhs.org
+executables: 
+- snortrule
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- bin/snortrule
+- lib/snort-rule.rb
+- lib/snort-rule/base.rb
+- LICENSE.txt
+- README.rdoc
+- test/helper.rb
+- test/test_snort-rule.rb
+has_rdoc: true
+homepage: https://rubygems.org/gems/snort-rule
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.1
+signing_key: 
+specification_version: 3
+summary: Class for parsing and generating Snort Rules
+test_files: 
+- test/helper.rb
+- test/test_snort-rule.rb