snort-rule 1.0.2 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 814357ce2643e9bde5663248cb35dbd708c4616e
-  data.tar.gz: ff24fe59ef9d47ff9bb6ff82daa4a4da497ed871
+  metadata.gz: 5769406b39c3f4e4d6f69f7e93dedb7480569ede
+  data.tar.gz: 87099f070762d3fe352aa9394dc9ee7faf366265
 SHA512:
-  metadata.gz: b9f683cfb2fc3cfce9530091d43d5cead649e95d8aae5304f4c64adaa938f14ed369a5c4d8c43dc4f7e4466b01ccda720f0288d7ade910777f3fa76dda010466
-  data.tar.gz: d3d8f96ae04a7b3276e2b7be1344c902bbe1e6f13067cd4903f8508bab110768336c7bf35a489a5468efae4de56c7da70b39d3a0941e6e8c213e7a7b9b4acd71
+  metadata.gz: 9985ac508c0dd80e357e6b7885537b9682f0a7ea0d1b7cacf5d3b3730c22f243d3cf861f36dd6194571e1dd8b78c3e1e798ebb4df0e22410affd2ba6fb2cc773
+  data.tar.gz: 588b14c3522b7283b13c1c481133c83c7fc50510abf73c74f0d87c2f8ae6d7cf995f3b023c8a066d0a19e75b974b948c211f251df13913ddf7f8f6d44d10ced2

data/README.md

@@ -18,11 +18,12 @@ Or install it yourself as:
 
 ## Usage
 
-	rule = Snort::Rule.new({:action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
-	
+	rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
+
 	rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
 
 	rule = Snort::Rule.new
+	rule.enabled = false
 	rule.action = 'pass'
 	rule.proto = 'udp'
 	rule.src = '192.168.0.1'
@@ -30,8 +31,9 @@ Or install it yourself as:
 	rule.dport = 53
 	rule.opts['sid'] = 48
 	rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
-	
-	rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+
+	# if the rule is disabled, then it will begin with a #
+	rule.to_s => "#pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
 
 	rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )")
 	rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
@@ -43,3 +45,5 @@ Or install it yourself as:
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)
 5. Create new Pull Request
+
+Thanks so much for those who have already contributed.

data/bin/snortrule

@@ -4,8 +4,9 @@ require 'getoptlong'
 require 'snort/rule'
 
 def usage
-	puts "Usage: #{$0} [-h] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
+	puts "Usage: #{$0} [-hE] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
 	puts "-h             This text."
+  puts "-E             Not enabled.  i.e., commented out"
 	puts "-a <action>    alert, log, pass, ... : alert"
 	puts "-p <protocol>  ip, udp, tcp, ... : ip"
 	puts "-s <srcip>     dotted quad IP address : any"
@@ -19,6 +20,8 @@ end
 
 opts = GetoptLong.new(
 	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--disabled', '-E', GetoptLong::NO_ARGUMENT ],
+	[ '--rule', '-r', GetoptLong::REQUIRED_ARGUMENT ],
 	[ '--action', '-a', GetoptLong::REQUIRED_ARGUMENT ],
 	[ '--proto', '-p', GetoptLong::REQUIRED_ARGUMENT ],
 	[ '--src', '-s', GetoptLong::REQUIRED_ARGUMENT ],
@@ -34,6 +37,11 @@ opts.each do |opt, arg|
 	case opt
 	when '--help'
 		usage
+  when '--disabled'
+    rule.enabled = false
+	when '--rule'
+		# TODO: regex sanity check here? better to fail gracefully.
+		rule = Snort::Rule.parse(arg)
 	when '--action'
 		rule.action = arg
 	when '--proto'

data/lib/snort/rule/version.rb

@@ -1,5 +1,5 @@
 module Snort
   class Rule
-    VERSION = "1.0.2"
+    VERSION = "1.1.1"
   end
 end

data/lib/snort/rule.rb

@@ -2,18 +2,21 @@ require "snort/rule/version"
 require "snort/rule/option"
 # Generates and parses snort rules
 #
-# Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org), Will Green (will[ at ]hotgazpacho[ dot ]org)
+# Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
+#             Will Green (will[ at ]hotgazpacho[ dot ]org),
+#             Justin Knox (jknox[ at ]indexzero[ dot ]org)
 # Copyright:: Copyright (c) 2011 Chris Lee
 # License::   Distributes under the same terms as Ruby
 module Snort
 
   # This class stores and generates the features of a snort rule
   class Rule
-    attr_accessor :action, :proto, :src, :sport, :dir, :dst, :dport
+    attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport
     attr_reader :options
 
     # Initializes the Rule
     # @param [Hash] kwargs The options to initialize the Rule with
+    # @option kwargs [String] :enabled true or false
     # @option kwargs [String] :action The action
     # @option kwargs [String] :proto The protocol
     # @option kwargs [String] :src The source IP
@@ -24,6 +27,10 @@ module Snort
     # @option kwargs[Array<Snort::RuleOption>] :options The better way of passing in options, using
     #   option objects that know how to represent themselves as a string properly
     def initialize(kwargs={})
+      @enabled = true
+      if kwargs.has_key?(:enabled) and (not kwargs[:enabled] or ['false', 'no', 'off'].index(kwargs[:enabled].to_s.downcase))
+        @enabled = false
+      end
       @action = kwargs[:action] || 'alert'
       @proto = kwargs[:proto] || 'IP'
       @src = kwargs[:src] || 'any'
@@ -37,7 +44,10 @@ module Snort
     # Output the current object into a snort rule
     def to_s(options_only=false)
       rule = ""
-      rule = [@action, @proto, @src, @sport, @dir, @dst, @dport].join(" ") unless options_only
+      if not @enabled
+        rule = "#"
+      end
+      rule += [@action, @proto, @src, @sport, @dir, @dst, @dport].join(" ") unless options_only
       if options.any?
         rule += " (" unless options_only
         rule += options.join(' ')
@@ -49,8 +59,18 @@ module Snort
     # Parse a snort rule to generate an object
     def Rule::parse(string)
       rule = Snort::Rule.new
+      # If the string begins with /^#+\s*/, then the rule is disabled.
+      # If disabled, let's scrub the disabling substring from the string.
+      if string.index(/^#+\s+/)
+        rule.enabled = false
+        string.gsub!(/^#+\s*/,'')
+      end
       rulepart, optspart = string.split(/\s*\(\s*/,2)
       rule.action, rule.proto, rule.src, rule.sport, rule.dir, rule.dst, rule.dport = rulepart.split(/\s+/)
+      if not ['<>', '<-', '->'].index(rule.dir)
+        # most likely, I have a parse error, maybe it's just a random comment
+        raise ArgumentError.new("Unable to parse rule, #{rulepart}")
+      end
       optspart.gsub(/;\s*\).*$/,'').split(/\s*;\s*/).each do |x|
         if x =~ /(.*?):(.*)/
           rule.options << Snort::RuleOption.new(*x.split(/:/,2))

data/snort-rule.gemspec

@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "minitest"
   spec.add_development_dependency "guard-minitest"
 
-  spec.signing_key   = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
-  spec.cert_chain    = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
+  #spec.signing_key   = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
+  #spec.cert_chain    = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
 end

data/test/helper.rb

@@ -1,3 +1,3 @@
 require 'minitest/autorun'
 require 'minitest/pride'
-require File.expand_path('../../lib/snort/rule.rb', __FILE__)
+require File.expand_path('../../lib/snort/rule.rb', __FILE__)

data/test/test_snort-rule.rb

@@ -10,8 +10,8 @@ require_relative 'helper'
 
 class TestSnortRule < Minitest::Test
   def test_constructor_should_set_all_the_parameters_and_generate_the_correct_rule
-    rule = Snort::Rule.new({:action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', 
-      :dst => 'any', :dport => 53, 
+    rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>',
+      :dst => 'any', :dport => 53,
       :options => [Snort::RuleOption.new('sid', 48), Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')]
     })
     assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
@@ -19,6 +19,7 @@ class TestSnortRule < Minitest::Test
 
   def test_construct_a_default_rule_and_update_each_member_to_generate_the_correct_rule
     rule = Snort::Rule.new
+    rule.enabled = true
     rule.action = 'pass'
     rule.proto = 'udp'
     rule.src = '192.168.0.1'
@@ -31,6 +32,7 @@ class TestSnortRule < Minitest::Test
 
   def test_construct_a_default_rule_with_many_options_having_the_same_keyword
     rule = Snort::Rule.new
+    rule.enabled = true
     rule.action = 'alert'
     rule.proto = 'tcp'
     rule.src = '$HOME_NET'
@@ -52,8 +54,49 @@ class TestSnortRule < Minitest::Test
     assert_equal 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Host www.baddomain.com"; content:"Host|3a|"; nocase; http_header; content:"www.baddomain.com"; nocase; http_header; pcre:"/^Host\x3a(.*\.|\s*)www\.baddomain\.com\s*$/mi"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; classtype:bad-unknown; sid:100000000;)', rule.to_s
   end
 
+  def test_construct_a_disabled_default_rule_with_many_options_having_the_same_keyword
+    rule = Snort::Rule.new
+    rule.enabled = false
+    rule.action = 'alert'
+    rule.proto = 'tcp'
+    rule.src = '$HOME_NET'
+    rule.dir = '->'
+    rule.dst = '$EXTERNAL_NET'
+    rule.dport = '$HTTP_PORTS'
+    rule.options << Snort::RuleOption.new('msg', '"HTTP Host www.baddomain.com"')
+    rule.options << Snort::RuleOption.new('content', '"Host|3a|"')
+    rule.options << Snort::RuleOption.new('nocase')
+    rule.options << Snort::RuleOption.new('http_header')
+    rule.options << Snort::RuleOption.new('content', '"www.baddomain.com"')
+    rule.options << Snort::RuleOption.new('nocase')
+    rule.options << Snort::RuleOption.new('http_header')
+    rule.options << Snort::RuleOption.new('pcre', '"/^Host\\x3a(.*\\.|\\s*)www\\.baddomain\\.com\\s*$/mi"')
+    rule.options << Snort::RuleOption.new('flow', 'to_server,established')
+    rule.options << Snort::RuleOption.new('threshold', 'type limit, track by_src, count 1, seconds 300')
+    rule.options << Snort::RuleOption.new('classtype', 'bad-unknown')
+    rule.options << Snort::RuleOption.new('sid', '100000000')
+    assert_equal '#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Host www.baddomain.com"; content:"Host|3a|"; nocase; http_header; content:"www.baddomain.com"; nocase; http_header; pcre:"/^Host\x3a(.*\.|\s*)www\.baddomain\.com\s*$/mi"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; classtype:bad-unknown; sid:100000000;)', rule.to_s
+  end
+
   def test_parse_an_existing_rule_and_generate_the_same_rule
     rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
     assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
   end
+
+  def test_parse_an_existing_disabled_rule_and_generate_the_same_rule
+    rule = Snort::Rule.parse("#pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
+    assert_equal rule.to_s, "#pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
+  end
+
+  def test_parse_a_disabled_rule_and_generate_the_normalized_disabled_rule
+    rule = Snort::Rule.parse("### pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
+    assert_equal rule.to_s, "#pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
+  end
+
+  def test_parse_a_garbled_rule_and_throws_an_exception
+    assert_raises ArgumentError do
+      Snort::Rule.parse("pass udp 192.168.0.1 bla bla bla 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )")
+    end
+  end
+
 end

data/test/test_snort_rule_option.rb

@@ -37,4 +37,4 @@ class TestSnortRuleOption < Minitest::Test
     assert_equal option1.hash, option2.hash
   end
 
-end
+end

metadata

@@ -1,91 +1,69 @@
 --- !ruby/object:Gem::Specification
 name: snort-rule
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.1.1
 platform: ruby
 authors:
 - chrislee35
 autorequire: 
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
-  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
-  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTEzMDUyMjEyNTk0N1oXDTE0MDUy
-  MjEyNTk0N1owVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
-  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
-  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcPrx8BZiWIR9xWWG8I
-  tqR538tS1t+UJ4FZFl+1vrtU9TiuWX3Vj37TwUpa2fFkziK0n5KupVThyEhcem5m
-  OGRjvgrRFbWQJSSscIKOpwqURHVKRpV9gVz/Hnzk8S+xotUR1Buo3Ugr+I1jHewD
-  Cgr+y+zgZbtjtHsJtsuujkOcPhEjjUinj68L9Fz9BdeJQt+IacjwAzULix6jWCht
-  Uc+g+0z8Esryca2G6I1GsrgX6WHw8dykyQDT9dCtS2flCOwSC1R0K5T/xHW54f+5
-  wcw8mm53KLNe+tmgVC6ZHyME+qJsBnP6uxF0aTEnGA/jDBQDhQNTF0ZP/abzyTsL
-  zjUCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFO8w
-  +aeP7T6kVJblCg6eusOII9DfMA0GCSqGSIb3DQEBBQUAA4IBAQBCQyRJLXsBo2Fy
-  8W6e/W4RemQRrlAw9DK5O6U71JtedVob2oq+Ob+zmS+PifE2+L+3RiJ2H6VTlOzi
-  x+A061MUXhGraqVq4J2FC8kt4EQywAD0P0Ta5GU24CGSF08Y3GkJy1Sa4XqTC2YC
-  o51s7JP+tkCCtpVYSdzJhTllieRAWBpGV1dtaoeUKE6tYPMBkosxSRcVGczk/Sc3
-  7eQCpexYy9JlUBI9u3BqIY9E+l+MSn8ihXSPmyK0DgrhaCu+voaSFVOX6Y+B5qbo
-  jLXMQu2ZgISYwXNjNbGVHehut82U7U9oiHoWcrOGazaRUmGO9TXP+aJLH0gw2dcK
-  AfMglXPi
-  -----END CERTIFICATE-----
-date: 2014-05-02 00:00:00.000000000 Z
+cert_chain: []
+date: 2014-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: guard-minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Parses and generates Snort rules similar to PERL's Snort::Rule
@@ -96,7 +74,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
 - Gemfile
 - Guardfile
 - LICENSE.txt
@@ -120,17 +98,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.11
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Class for parsing and generating Snort Rules

metadata.gz.sig

@@ -1,3 +0,0 @@
-�����<R@���%��������n�W��pWx��
-�ڏH
-s�`����if&Z@��������l�����9ʥky�
�:�����G�UA�6�@B��ck�ىs���W���	�����9��b�гˢ�J9|"ߑ�-�	8}�z˝���<��Y���̿��k���s�A��j`
-0u���Ar,�%<���,C�