snort-rule 1.1.1 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5769406b39c3f4e4d6f69f7e93dedb7480569ede
4
- data.tar.gz: 87099f070762d3fe352aa9394dc9ee7faf366265
3
+ metadata.gz: 983c58cf46f3b4d8c65327fa4bedcc2e1edebe93
4
+ data.tar.gz: 45fbd8510d45346efd45603d3b350b1034b556e3
5
5
  SHA512:
6
- metadata.gz: 9985ac508c0dd80e357e6b7885537b9682f0a7ea0d1b7cacf5d3b3730c22f243d3cf861f36dd6194571e1dd8b78c3e1e798ebb4df0e22410affd2ba6fb2cc773
7
- data.tar.gz: 588b14c3522b7283b13c1c481133c83c7fc50510abf73c74f0d87c2f8ae6d7cf995f3b023c8a066d0a19e75b974b948c211f251df13913ddf7f8f6d44d10ced2
6
+ metadata.gz: dca88327fc2206fe1f8067665815b535d9d2624ddcee0e4a4a4c6e03ffc276a0cc93a1a0b6177c8c73209abe099177abfe4aa888742345302391368fc3f34927
7
+ data.tar.gz: c6eb769c685cddc3c6195fb27f9b1d40d7cb547083e0d5932c9179986216a90c9bc8d91a642f38d07d79f0fa2f69799c356a3951c5d63ad727afee125e7920ef
data/README.md CHANGED
@@ -18,6 +18,7 @@ Or install it yourself as:
18
18
 
19
19
  ## Usage
20
20
 
21
+ require 'snort/rule'
21
22
  rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
22
23
 
23
24
  rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
@@ -29,8 +30,15 @@ Or install it yourself as:
29
30
  rule.src = '192.168.0.1'
30
31
  rule.dir = '<>'
31
32
  rule.dport = 53
32
- rule.opts['sid'] = 48
33
- rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
33
+ rule.options << Snort::RuleOption.new('sid', 48)
34
+ rule.options << Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')
35
+ rule.options << Snort::RuleOption.new('ref', 'ref1')
36
+ rule.options << Snort::RuleOption.new('ref', 'ref2')
37
+ rule.options.each do |opt|
38
+ puts opt
39
+ end
40
+ rule.options_hash["sid"] == 48
41
+ rule.options_hash["ref"] == "ref2"
34
42
 
35
43
  # if the rule is disabled, then it will begin with a #
36
44
  rule.to_s => "#pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
@@ -46,4 +54,6 @@ Or install it yourself as:
46
54
  4. Push to the branch (`git push origin my-new-feature`)
47
55
  5. Create new Pull Request
48
56
 
49
- Thanks so much for those who have already contributed.
57
+ Thanks so much for those who have already contributed.
58
+
59
+ <a href='mailto:github@chrislee[dot]dhs[dot]org[stop here]xxx'><img src='http://chrisleephd.us/images/github-email.png?snort-rule'></a>
@@ -7,6 +7,7 @@ def usage
7
7
  puts "Usage: #{$0} [-hE] [-a <action>] [-p <protocol>] [-s <srcip>] [-x <srcport>] [-w <direction>] [-d <dstip>] [-c <dstport>] [-o <key:value>] [-o <key:value> ...]"
8
8
  puts "-h This text."
9
9
  puts "-E Not enabled. i.e., commented out"
10
+ puts "-r <rule> full rule text for parsing and echoing back"
10
11
  puts "-a <action> alert, log, pass, ... : alert"
11
12
  puts "-p <protocol> ip, udp, tcp, ... : ip"
12
13
  puts "-s <srcip> dotted quad IP address : any"
@@ -11,7 +11,7 @@ module Snort
11
11
 
12
12
  # This class stores and generates the features of a snort rule
13
13
  class Rule
14
- attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport
14
+ attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport, :options_hash
15
15
  attr_reader :options
16
16
 
17
17
  # Initializes the Rule
@@ -39,6 +39,7 @@ module Snort
39
39
  @dst = kwargs[:dst] || 'any'
40
40
  @dport = kwargs[:dport] || 'any'
41
41
  @options = kwargs[:options] || []
42
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
42
43
  end
43
44
 
44
45
  # Output the current object into a snort rule
@@ -48,13 +49,28 @@ module Snort
48
49
  rule = "#"
49
50
  end
50
51
  rule += [@action, @proto, @src, @sport, @dir, @dst, @dport].join(" ") unless options_only
51
- if options.any?
52
+ if @options.any?
52
53
  rule += " (" unless options_only
53
- rule += options.join(' ')
54
+ rule += @options.join(' ')
54
55
  rule += ")" unless options_only
55
56
  end
56
57
  rule
57
58
  end
59
+
60
+ def add_option(option)
61
+ @options << option
62
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
63
+ end
64
+
65
+ def del_option(option)
66
+ @options.delete(option)
67
+ @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
68
+ end
69
+
70
+ def clear_options()
71
+ @options = []
72
+ @options_hash = {}
73
+ end
58
74
 
59
75
  # Parse a snort rule to generate an object
60
76
  def Rule::parse(string)
@@ -78,6 +94,7 @@ module Snort
78
94
  rule.options << Snort::RuleOption.new(x)
79
95
  end
80
96
  end if optspart
97
+ rule.options_hash = Hash[rule.options.map {|x| [x.keyword, x.arguments]}]
81
98
  rule
82
99
  end
83
100
  end
@@ -11,10 +11,8 @@ module Snort
11
11
  end
12
12
 
13
13
  def to_s
14
- output = @keyword
15
- output << ":#{@arguments}" unless @arguments.empty?
16
- output << ';'
17
- output
14
+ return "#{@keyword};" if @arguments.empty?
15
+ "#{@keyword}:#{@arguments};"
18
16
  end
19
17
 
20
18
  def ==(other)
@@ -1,5 +1,5 @@
1
1
  module Snort
2
2
  class Rule
3
- VERSION = "1.1.1"
3
+ VERSION = "1.2.0"
4
4
  end
5
5
  end
@@ -1,3 +1,5 @@
1
+ # rake warned with suggestion to add gem 'minitest' ahead of require 'minitest/autorun'
2
+ gem 'minitest'
1
3
  require 'minitest/autorun'
2
4
  require 'minitest/pride'
3
5
  require File.expand_path('../../lib/snort/rule.rb', __FILE__)
@@ -36,5 +36,18 @@ class TestSnortRuleOption < Minitest::Test
36
36
  option2 = Snort::RuleOption.new('msg', '"OHAI"')
37
37
  assert_equal option1.hash, option2.hash
38
38
  end
39
+
40
+ def test_options_hash
41
+ strule = 'alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"test"; flow:to_server, established; content:"GET"; http_method; content:"/private.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNITED"; nocase; http_uri; content:"SELECTED"; nocase; http_uri; pcre:"/UNITED.+SELECTED/Ui"; reference:ref1; reference:ref2; reference:ref3; classtype:test-attack; sid:1234; rev:442;)'
42
+ rule = Snort::Rule.parse(strule)
43
+ assert_equal "\"test\"", rule.options_hash["msg"]
44
+ assert_equal "to_server, established", rule.options_hash["flow"]
45
+ assert rule.options_hash["http_method"]
46
+ assert rule.options_hash["http_method"].empty?
47
+ assert_equal "ref3", rule.options_hash["reference"]
48
+ assert rule.options_hash["nocase"]
49
+ assert rule.options_hash["nocase"].empty?
50
+ assert_nil rule.options_hash["xxxx"]
51
+ end
39
52
 
40
53
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: snort-rule
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - chrislee35
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-10-05 00:00:00.000000000 Z
11
+ date: 2014-10-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler