snort-rule 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 983c58cf46f3b4d8c65327fa4bedcc2e1edebe93
-  data.tar.gz: 45fbd8510d45346efd45603d3b350b1034b556e3
+  metadata.gz: 29dd2030dcab15c7a79fe409f387f365833d6ef9
+  data.tar.gz: c000e78ab850620360e3cf169a6675081b43f067
 SHA512:
-  metadata.gz: dca88327fc2206fe1f8067665815b535d9d2624ddcee0e4a4a4c6e03ffc276a0cc93a1a0b6177c8c73209abe099177abfe4aa888742345302391368fc3f34927
-  data.tar.gz: c6eb769c685cddc3c6195fb27f9b1d40d7cb547083e0d5932c9179986216a90c9bc8d91a642f38d07d79f0fa2f69799c356a3951c5d63ad727afee125e7920ef
+  metadata.gz: 719fa4d1026c38c683d06364c16c930be551c3dca3fe4b67493e23d6f33d52125a5d74bd9e05cb0b2528469792cac3e3cdcd70dcd0a29eb38b15d566879b5d27
+  data.tar.gz: 9158d07dc87858e5179bb6355f8b3e285645db5c65e14bf2e8f1ec6bf82a46ce669abe9c38cc59f7ddcc1f7a125bbe282b10f788d1ecb50f11ba38c905910f81

data/README.md

@@ -19,9 +19,9 @@ Or install it yourself as:
 ## Usage
 
 	require 'snort/rule'
-	rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :opts => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
+	rule = Snort::Rule.new({:enabled => true, :action => 'pass', :proto => 'udp', :src => '192.168.0.1', :sport => 'any', :dir => '<>', :dst => 'any', :dport => 53, :options => {'sid' => 48, 'threshold' => 'type limit,track by_src,count 1,seconds 3600' }})
 
-	rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	rule.to_s # => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
 
 	rule = Snort::Rule.new
 	rule.enabled = false
@@ -30,21 +30,22 @@ Or install it yourself as:
 	rule.src = '192.168.0.1'
 	rule.dir = '<>'
 	rule.dport = 53
-	rule.options << Snort::RuleOption.new('sid', 48)
-	rule.options << Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')
-	rule.options << Snort::RuleOption.new('ref', 'ref1')
-	rule.options << Snort::RuleOption.new('ref', 'ref2')
+	rule.add_option(Snort::RuleOption.new('sid', 48))
+	rule.add_option(Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600'))
+	rule.add_option(Snort::RuleOption.new('ref', 'ref1'))
+	rule.add_option(Snort::RuleOption.new('ref', ['ref2', 'nocase']))
 	rule.options.each do |opt|
 		puts opt
 	end
-	rule.options_hash["sid"] == 48
-	rule.options_hash["ref"] == "ref2"
+	rule.options_hash["sid"][0].arguments[0] # => 48
+	rule.options_hash["ref"][1].arguments[0] # => "ref2"
+	rule.options_hash["ref"][1].arguments[1] # => "nocase"
 
 	# if the rule is disabled, then it will begin with a #
-	rule.to_s => "#pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	rule.to_s # => #pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600; sid:48; threshold:type limit,track by_src,count 1,seconds 3600; ref:ref1; ref:ref2; nocase;)"
 
-	rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )")
-	rule.to_s => "pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600; )"
+	rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600;  ref:ref1; ref:ref2;)")
+	rule.to_s # => "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600; ref:ref1; ref:ref2;)"
 
 ## Contributing
 

data/lib/snort/rule.rb

@@ -5,6 +5,7 @@ require "snort/rule/option"
 # Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
 #             Will Green (will[ at ]hotgazpacho[ dot ]org),
 #             Justin Knox (jknox[ at ]indexzero[ dot ]org)
+#             Ryan Barnett (rbarnett[ at ]modsecurity[ dot ]org)
 # Copyright:: Copyright (c) 2011 Chris Lee
 # License::   Distributes under the same terms as Ruby
 module Snort
@@ -13,7 +14,7 @@ module Snort
   class Rule
     attr_accessor :enabled, :action, :proto, :src, :sport, :dir, :dst, :dport, :options_hash
     attr_reader :options
-
+    
     # Initializes the Rule
     # @param [Hash] kwargs The options to initialize the Rule with
     # @option kwargs [String] :enabled true or false
@@ -38,8 +39,13 @@ module Snort
       @dir = kwargs[:dir] || '->'
       @dst = kwargs[:dst] || 'any'
       @dport = kwargs[:dport] || 'any'
-      @options = kwargs[:options] || []
-      @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
+      @options = []
+      @options_hash = {}
+      if kwargs[:options]
+        kwargs[:options].each do |opt|
+          add_option(opt)
+        end
+      end
     end
 
     # Output the current object into a snort rule
@@ -58,13 +64,21 @@ module Snort
     end
     
     def add_option(option)
+      if option.class == Array
+        option = Snort::RuleOption.new(option[0], option[1,100])
+      end
       @options << option
-      @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
+      unless @options_hash[option.keyword]
+        @options_hash[option.keyword] = []
+      end
+      @options_hash[option.keyword] << option
     end
     
     def del_option(option)
       @options.delete(option)
-      @options_hash = Hash[@options.map {|x| [x.keyword, x.arguments]}]
+      if @options_hash[option.keyword]
+        @options_hash[option.keyword].delete(option)
+      end
     end
     
     def clear_options()
@@ -89,12 +103,17 @@ module Snort
       end
       optspart.gsub(/;\s*\).*$/,'').split(/\s*;\s*/).each do |x|
         if x =~ /(.*?):(.*)/
-          rule.options << Snort::RuleOption.new(*x.split(/:/,2))
+          k, v = x.split(/:/, 2)
+          opt = Snort::RuleOption.new(k, v)
+          rule.options << opt
+          unless rule.options_hash[k]
+            rule.options_hash[k] = []
+          end
+          rule.options_hash[k] << opt
         else
-          rule.options << Snort::RuleOption.new(x)
+          rule.options.last.arguments << x
         end
       end if optspart
-      rule.options_hash = Hash[rule.options.map {|x| [x.keyword, x.arguments]}]
       rule
     end
   end

data/lib/snort/rule/option.rb

@@ -7,12 +7,24 @@ module Snort
     # @param [String] arguments
     def initialize(keyword, arguments=nil)
       @keyword = keyword.to_s
-      @arguments = arguments.to_s
+      if arguments == nil
+        @arguments = []
+      elsif arguments.class == String or arguments.class == Fixnum
+        @arguments = [arguments]
+      elsif arguments.class == Array
+        @arguments = arguments
+      else
+        raise "I don't know what to do with an argument of class #{arguments.class}"
+      end
+    end
+    
+    def add_argument(argument)
+      @arguments << argument
     end
 
     def to_s
-      return "#{@keyword};" if @arguments.empty?
-      "#{@keyword}:#{@arguments};"
+      return "#{@keyword};" if @arguments.length == 0
+      "#{@keyword}:#{@arguments.join("; ")};"
     end
 
     def ==(other)

data/lib/snort/rule/version.rb

@@ -1,5 +1,5 @@
 module Snort
   class Rule
-    VERSION = "1.2.0"
+    VERSION = "1.3.0"
   end
 end

data/test/test_snort_rule_option.rb

@@ -38,15 +38,24 @@ class TestSnortRuleOption < Minitest::Test
   end
   
   def test_options_hash
-    strule = 'alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"test"; flow:to_server, established; content:"GET"; http_method; content:"/private.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNITED"; nocase; http_uri; content:"SELECTED"; nocase; http_uri; pcre:"/UNITED.+SELECTED/Ui"; reference:ref1; reference:ref2; reference:ref3; classtype:test-attack; sid:1234; rev:442;)'
+    strule = 'alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"test"; ' +
+      'flow:to_server, established; '+
+      'content:"GET"; http_method; ' +
+      'content:"/private.php?"; nocase; http_uri; ' +
+      'content:"id="; nocase; http_uri; ' +
+      'content:"UNITED"; nocase; http_uri; ' +
+      'content:"SELECTED"; nocase; http_uri; ' +
+      'pcre:"/UNITED.+SELECTED/Ui"; ' +
+      'reference:ref1; reference:ref2; reference:ref3; ' +
+      'classtype:test-attack; sid:1234; rev:442;)'
     rule = Snort::Rule.parse(strule)
-    assert_equal "\"test\"", rule.options_hash["msg"]
-    assert_equal "to_server, established", rule.options_hash["flow"]
-    assert rule.options_hash["http_method"]
-    assert rule.options_hash["http_method"].empty?
-    assert_equal "ref3", rule.options_hash["reference"]
-    assert rule.options_hash["nocase"]
-    assert rule.options_hash["nocase"].empty?
+    assert_equal ["\"test\""], rule.options_hash["msg"][0].arguments
+    assert_equal ["to_server, established"], rule.options_hash["flow"][0].arguments
+    assert rule.options_hash["content"]
+    assert_equal 5, rule.options_hash["content"].length
+    assert_equal ['"/private.php?"', 'nocase', 'http_uri'], rule.options_hash["content"][1].arguments
+    assert_equal 3, rule.options_hash["reference"].length
+    assert_equal ["ref3"], rule.options_hash["reference"][2].arguments
     assert_nil rule.options_hash["xxxx"]
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: snort-rule
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - chrislee35
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-25 00:00:00.000000000 Z
+date: 2014-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler