snort-rule 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +13 -3
  3. data/bin/snortrule +1 -0
  4. data/lib/snort/rule.rb +20 -3
  5. data/lib/snort/rule/option.rb +2 -4
  6. data/lib/snort/rule/version.rb +1 -1
  7. data/test/helper.rb +2 -0
  8. data/test/test_snort_rule_option.rb +13 -0
  9. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5769406b39c3f4e4d6f69f7e93dedb7480569ede
4
- data.tar.gz: 87099f070762d3fe352aa9394dc9ee7faf366265
3
+ metadata.gz: 983c58cf46f3b4d8c65327fa4bedcc2e1edebe93
4
+ data.tar.gz: 45fbd8510d45346efd45603d3b350b1034b556e3
5
5
  SHA512:
6
- metadata.gz: 9985ac508c0dd80e357e6b7885537b9682f0a7ea0d1b7cacf5d3b3730c22f243d3cf861f36dd6194571e1dd8b78c3e1e798ebb4df0e22410affd2ba6fb2cc773
7
- data.tar.gz: 588b14c3522b7283b13c1c481133c83c7fc50510abf73c74f0d87c2f8ae6d7cf995f3b023c8a066d0a19e75b974b948c211f251df13913ddf7f8f6d44d10ced2
6
+ metadata.gz: dca88327fc2206fe1f8067665815b535d9d2624ddcee0e4a4a4c6e03ffc276a0cc93a1a0b6177c8c73209abe099177abfe4aa888742345302391368fc3f34927
7
+ data.tar.gz: c6eb769c685cddc3c6195fb27f9b1d40d7cb547083e0d5932c9179986216a90c9bc8d91a642f38d07d79f0fa2f69799c356a3951c5d63ad727afee125e7920ef
data/README.md CHANGED
@@ -18,6 +18,7 @@ Or install it yourself as:
18
18
 
19
19
  ## Usage
20
20
 
21
+ require 'snort/rule'
21
22
  rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
22
23
 
23
24
  rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
@@ -29,8 +30,15 @@ Or install it yourself as:
29
30
  rule.src = '192.168.0.1'
30
31
  rule.dir = '<>'
31
32
  rule.dport = 53
32
- rule.opts['sid'] = 48
33
- rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
33
+ rule.options << Snort::RuleOption.new('sid', 48)
34
+ rule.options << Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')
35
+ rule.options << Snort::RuleOption.new('ref', 'ref1')
36
+ rule.options << Snort::RuleOption.new('ref', 'ref2')
37
+ rule.options.each do |opt|
38
+ puts opt
39
+ end
40
+ rule.options_hash["sid"] == 48
41
+ rule.options_hash["ref"] == "ref2"
34
42
 
35
43
  # if the rule is disabled, then it will begin with a #
36
44
  rule.to_s => "#pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
@@ -46,4 +54,6 @@ Or install it yourself as:
46
54
  4. Push to the branch (`git push origin my-new-feature`)
47
55
  5. Create new Pull Request
48
56
 
49
- Thanks so much for those who have already contributed.
57
+ Thanks so much for those who have already contributed.
58
+
59
+ <a href='mailto:github@chrislee[dot]dhs[dot]org[stop here]xxx'><img src='http://chrisleephd.us/images/github-email.png?snort-rule'></a>
data/bin/snortrule CHANGED
@@ -7,6 +7,7 @@ def usage
7
7
  puts "Usage: #{$0} [-hE] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
8
8
  puts "-h This text."
9
9
  puts "-E Not enabled. i.e., commented out"
10
+ puts "-r <rule> full rule text for parsing and echoing back"
10
11
  puts "-a <action> alert, log, pass, ... : alert"
11
12
  puts "-p <protocol> ip, udp, tcp, ... : ip"
12
13
  puts "-s <srcip> dotted quad IP address : any"
data/lib/snort/rule.rb CHANGED
@@ -11,7 +11,7 @@ module Snort
11
11
 
12
12
  # This class stores and generates the features of a snort rule
13
13
  class Rule
14
- attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport
14
+ attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport, :options_hash
15
15
  attr_reader :options
16
16
 
17
17
  # Initializes the Rule
@@ -39,6 +39,7 @@ module Snort
39
39
  @dst = kwargs[:dst] || 'any'
40
40
  @dport = kwargs[:dport] || 'any'
41
41
  @options = kwargs[:options] || []
42
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
42
43
  end
43
44
 
44
45
  # Output the current object into a snort rule
@@ -48,13 +49,28 @@ module Snort
48
49
  rule = "#"
49
50
  end
50
51
  rule += [@action, @proto, @src, @sport, @dir, @dst, @dport].join(" ") unless options_only
51
- if options.any?
52
+ if @options.any?
52
53
  rule += " (" unless options_only
53
- rule += options.join(' ')
54
+ rule += @options.join(' ')
54
55
  rule += ")" unless options_only
55
56
  end
56
57
  rule
57
58
  end
59
+
60
+ def add_option(option)
61
+ @options << option
62
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
63
+ end
64
+
65
+ def del_option(option)
66
+ @options.delete(option)
67
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
68
+ end
69
+
70
+ def clear_options()
71
+ @options = []
72
+ @options_hash = {}
73
+ end
58
74
 
59
75
  # Parse a snort rule to generate an object
60
76
  def Rule::parse(string)
@@ -78,6 +94,7 @@ module Snort
78
94
  rule.options << Snort::RuleOption.new(x)
79
95
  end
80
96
  end if optspart
97
+ rule.options_hash = Hash[rule.options.map {|x| [x.keyword, x.arguments]}]
81
98
  rule
82
99
  end
83
100
  end
data/lib/snort/rule/option.rb CHANGED
@@ -11,10 +11,8 @@ module Snort
11
11
  end
12
12
 
13
13
  def to_s
14
- output = @keyword
15
- output << ":#{@arguments}" unless @arguments.empty?
16
- output << ';'
17
- output
14
+ return "#{@keyword};" if @arguments.empty?
15
+ "#{@keyword}:#{@arguments};"
18
16
  end
19
17
 
20
18
  def ==(other)
data/lib/snort/rule/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Snort
2
2
  class Rule
3
- VERSION = "1.1.1"
3
+ VERSION = "1.2.0"
4
4
  end
5
5
  end
data/test/helper.rb CHANGED
@@ -1,3 +1,5 @@
1
+ # rake warned with suggestion to add gem 'minitest' ahead of require 'minitest/autorun'
2
+ gem 'minitest'
1
3
  require 'minitest/autorun'
2
4
  require 'minitest/pride'
3
5
  require File.expand_path('../../lib/snort/rule.rb', __FILE__)
data/test/test_snort_rule_option.rb CHANGED
@@ -36,5 +36,18 @@ class TestSnortRuleOption < Minitest::Test
36
36
  option2 = Snort::RuleOption.new('msg', '"OHAI"')
37
37
  assert_equal option1.hash, option2.hash
38
38
  end
39
+
40
+ def test_options_hash
41
+ strule = 'alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"test"; flow:to_server, established; content:"GET"; http_method; content:"/private.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNITED"; nocase; http_uri; content:"SELECTED"; nocase; http_uri; pcre:"/UNITED.+SELECTED/Ui"; reference:ref1; reference:ref2; reference:ref3; classtype:test-attack; sid:1234; rev:442;)'
42
+ rule = Snort::Rule.parse(strule)
43
+ assert_equal "\"test\"", rule.options_hash["msg"]
44
+ assert_equal "to_server, established", rule.options_hash["flow"]
45
+ assert rule.options_hash["http_method"]
46
+ assert rule.options_hash["http_method"].empty?
47
+ assert_equal "ref3", rule.options_hash["reference"]
48
+ assert rule.options_hash["nocase"]
49
+ assert rule.options_hash["nocase"].empty?
50
+ assert_nil rule.options_hash["xxxx"]
51
+ end
39
52
 
40
53
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: snort-rule
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - chrislee35
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-10-05 00:00:00.000000000 Z
11
+ date: 2014-10-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler