snort-rule 1.3.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 29dd2030dcab15c7a79fe409f387f365833d6ef9
-  data.tar.gz: c000e78ab850620360e3cf169a6675081b43f067
+  metadata.gz: e2eabb911b41cd33e776dd69cc3f50ba807ccaf8
+  data.tar.gz: 7bfa5b2a310dc398d362991c6cecd7b1c72fb022
 SHA512:
-  metadata.gz: 719fa4d1026c38c683d06364c16c930be551c3dca3fe4b67493e23d6f33d52125a5d74bd9e05cb0b2528469792cac3e3cdcd70dcd0a29eb38b15d566879b5d27
-  data.tar.gz: 9158d07dc87858e5179bb6355f8b3e285645db5c65e14bf2e8f1ec6bf82a46ce669abe9c38cc59f7ddcc1f7a125bbe282b10f788d1ecb50f11ba38c905910f81
+  metadata.gz: dc95c1a7217f9d624cb887e53a7a1f8bcc0d710a617863f1d484259edec11423033005e4082547e823489bcd0fe4eb8d999dfce13236c6e566b59ca3d639095e
+  data.tar.gz: fb1d93af758a6485bf2ae7a39509f4c117325c0b15c7820d891301450dd9c23223f325437993fd6a1d49c4b2c1098ea8b1c3ec38bfab466f249da99a4ca0c036

data/.gitignore

@@ -14,4 +14,5 @@ rdoc
 spec/reports
 test/tmp
 test/version_tmp
+test/community-rules
 tmp

data/lib/snort/rule.rb

@@ -1,5 +1,6 @@
 require "snort/rule/version"
 require "snort/rule/option"
+require 'pp'
 # Generates and parses snort rules
 #
 # Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
@@ -85,17 +86,51 @@ module Snort
       @options = []
       @options_hash = {}
     end
+    
+    def get_option(option_name)
+      if @options_hash[option_name]
+        if @options_hash[option_name].length == 1
+          if @options_hash[option_name][0].arguments.length == 1
+            return @options_hash[option_name][0].arguments[0]
+          end
+        end
+      end
+      nil
+    end
+
+    def get_option_first(option_name)
+      if @options_hash[option_name]
+        if @options_hash[option_name].length > 0
+          if @options_hash[option_name][0].arguments.length > 0
+            return @options_hash[option_name][0].arguments[0]
+          end
+        end
+      end
+      nil
+    end
+    
+    def get_option_last(option_name)
+      if @options_hash[option_name]
+        if @options_hash[option_name].length > 0
+          if @options_hash[option_name].last.arguments.length > 0
+            return @options_hash[option_name].last.arguments[0]
+          end
+        end
+      end
+      nil
+    end
 
     # Parse a snort rule to generate an object
     def Rule::parse(string)
       rule = Snort::Rule.new
+      rulestr = string.strip
       # If the string begins with /^#+\s*/, then the rule is disabled.
       # If disabled, let's scrub the disabling substring from the string.
-      if string.index(/^#+\s+/)
+      if rulestr.index(/^#/)
         rule.enabled = false
-        string.gsub!(/^#+\s*/,'')
+        rulestr.gsub!(/^#+\s*/,'')
       end
-      rulepart, optspart = string.split(/\s*\(\s*/,2)
+      rulepart, optspart = rulestr.split(/\s*\(\s*/,2)
       rule.action, rule.proto, rule.src, rule.sport, rule.dir, rule.dst, rule.dport = rulepart.split(/\s+/)
       if not ['<>', '<-', '->'].index(rule.dir)
         # most likely, I have a parse error, maybe it's just a random comment

data/lib/snort/rule/version.rb

@@ -1,5 +1,5 @@
 module Snort
   class Rule
-    VERSION = "1.3.0"
+    VERSION = "1.4.1"
   end
 end

data/test/test_snort-community-rules.rb

@@ -0,0 +1,64 @@
+unless Kernel.respond_to?(:require_relative)
+  module Kernel
+    def require_relative(path)
+      require File.join(File.dirname(caller[0]), path.to_str)
+    end
+  end
+end
+
+require_relative 'helper'
+
+class TestSnortCommunityRules < Minitest::Test
+  def setup
+    destination = "test"
+    if not File.exist?("#{destination}/community-rules/community.rules")
+      require 'open-uri'
+      require 'zlib'
+      require 'rubygems/package'
+      require 'fileutils'
+      
+      url = "https://www.snort.org/downloads/community/community-rules.tar.gz"
+      puts "downloading #{url} to #{destination}/community-rules/community.rules"
+      tarfile = open(url)
+      
+      # un-gzips the given IO, returning the
+      # decompressed version as a StringIO
+      z = Zlib::GzipReader.new(tarfile)
+      unzipped = StringIO.new(z.read)
+      z.close
+      tarfile.close
+      Gem::Package::TarReader.new unzipped do |tar|
+        tar.each do |tarfile|
+          destination_file = File.join destination, tarfile.full_name
+          if tarfile.directory?
+            FileUtils.mkdir_p destination_file
+          else
+            destination_directory = File.dirname(destination_file)
+            FileUtils.mkdir_p destination_directory unless File.directory?(destination_directory)
+            File.open destination_file, "wb" do |f|
+              f.print tarfile.read
+            end
+          end
+        end 
+      end
+    end
+  end
+  
+  def test_complete_rules_file
+    rules = []
+    File.open("test/community-rules/community.rules").each_line do |line|
+      next unless line =~ /alert/
+      begin
+        rule = Snort::Rule.parse(line)
+        if rule
+          rules << rule
+        end
+      rescue ArgumentError => e
+      rescue NoMethodError => e
+      end
+    end
+    assert_equal 3127, rules.length
+    assert_equal 2522, rules.count{|r| ! r.enabled}
+    assert_equal 605, rules.count{|r| r.enabled}
+  end
+end

data/test/test_snort-rule.rb

@@ -25,8 +25,8 @@ class TestSnortRule < Minitest::Test
     rule.src = '192.168.0.1'
     rule.dir = '<>'
     rule.dport = 53
-    rule.options << Snort::RuleOption.new('sid', 48)
-    rule.options << Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')
+    rule.add_option(Snort::RuleOption.new('sid', 48))
+    rule.add_option(Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600'))
     assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
   end
 
@@ -39,18 +39,14 @@ class TestSnortRule < Minitest::Test
     rule.dir = '->'
     rule.dst = '$EXTERNAL_NET'
     rule.dport = '$HTTP_PORTS'
-    rule.options << Snort::RuleOption.new('msg', '"HTTP Host www.baddomain.com"')
-    rule.options << Snort::RuleOption.new('content', '"Host|3a|"')
-    rule.options << Snort::RuleOption.new('nocase')
-    rule.options << Snort::RuleOption.new('http_header')
-    rule.options << Snort::RuleOption.new('content', '"www.baddomain.com"')
-    rule.options << Snort::RuleOption.new('nocase')
-    rule.options << Snort::RuleOption.new('http_header')
-    rule.options << Snort::RuleOption.new('pcre', '"/^Host\\x3a(.*\\.|\\s*)www\\.baddomain\\.com\\s*$/mi"')
-    rule.options << Snort::RuleOption.new('flow', 'to_server,established')
-    rule.options << Snort::RuleOption.new('threshold', 'type limit, track by_src, count 1, seconds 300')
-    rule.options << Snort::RuleOption.new('classtype', 'bad-unknown')
-    rule.options << Snort::RuleOption.new('sid', '100000000')
+    rule.add_option(Snort::RuleOption.new('msg', '"HTTP Host www.baddomain.com"'))
+    rule.add_option(Snort::RuleOption.new('content', ['"Host|3a|"', 'nocase', 'http_header']))
+    rule.add_option(Snort::RuleOption.new('content', ['"www.baddomain.com"', 'nocase', 'http_header']))
+    rule.add_option(Snort::RuleOption.new('pcre', '"/^Host\\x3a(.*\\.|\\s*)www\\.baddomain\\.com\\s*$/mi"'))
+    rule.add_option(Snort::RuleOption.new('flow', 'to_server,established'))
+    rule.add_option(Snort::RuleOption.new('threshold', 'type limit, track by_src, count 1, seconds 300'))
+    rule.add_option(Snort::RuleOption.new('classtype', 'bad-unknown'))
+    rule.add_option(Snort::RuleOption.new('sid', '100000000'))
     assert_equal 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Host www.baddomain.com"; content:"Host|3a|"; nocase; http_header; content:"www.baddomain.com"; nocase; http_header; pcre:"/^Host\x3a(.*\.|\s*)www\.baddomain\.com\s*$/mi"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; classtype:bad-unknown; sid:100000000;)', rule.to_s
   end
 
@@ -63,33 +59,33 @@ class TestSnortRule < Minitest::Test
     rule.dir = '->'
     rule.dst = '$EXTERNAL_NET'
     rule.dport = '$HTTP_PORTS'
-    rule.options << Snort::RuleOption.new('msg', '"HTTP Host www.baddomain.com"')
-    rule.options << Snort::RuleOption.new('content', '"Host|3a|"')
-    rule.options << Snort::RuleOption.new('nocase')
-    rule.options << Snort::RuleOption.new('http_header')
-    rule.options << Snort::RuleOption.new('content', '"www.baddomain.com"')
-    rule.options << Snort::RuleOption.new('nocase')
-    rule.options << Snort::RuleOption.new('http_header')
-    rule.options << Snort::RuleOption.new('pcre', '"/^Host\\x3a(.*\\.|\\s*)www\\.baddomain\\.com\\s*$/mi"')
-    rule.options << Snort::RuleOption.new('flow', 'to_server,established')
-    rule.options << Snort::RuleOption.new('threshold', 'type limit, track by_src, count 1, seconds 300')
-    rule.options << Snort::RuleOption.new('classtype', 'bad-unknown')
-    rule.options << Snort::RuleOption.new('sid', '100000000')
+    rule.add_option(Snort::RuleOption.new('msg', '"HTTP Host www.baddomain.com"'))
+    rule.add_option(Snort::RuleOption.new('content', ['"Host|3a|"', 'nocase', 'http_header']))
+    rule.add_option(Snort::RuleOption.new('content', ['"www.baddomain.com"', 'nocase', 'http_header']))
+    rule.add_option(Snort::RuleOption.new('pcre', '"/^Host\\x3a(.*\\.|\\s*)www\\.baddomain\\.com\\s*$/mi"'))
+    rule.add_option(Snort::RuleOption.new('flow', 'to_server,established'))
+    rule.add_option(Snort::RuleOption.new('threshold', 'type limit, track by_src, count 1, seconds 300'))
+    rule.add_option(Snort::RuleOption.new('classtype', 'bad-unknown'))
+    rule.add_option(Snort::RuleOption.new('sid', '100000000'))
     assert_equal '#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Host www.baddomain.com"; content:"Host|3a|"; nocase; http_header; content:"www.baddomain.com"; nocase; http_header; pcre:"/^Host\x3a(.*\.|\s*)www\.baddomain\.com\s*$/mi"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; classtype:bad-unknown; sid:100000000;)', rule.to_s
+    assert_equal '100000000', rule.get_option('sid')
+    assert_nil rule.get_option('content')
+    assert_equal '"Host|3a|"', rule.get_option_first('content')
+    assert_equal '"www.baddomain.com"', rule.get_option_last('content')
   end
 
   def test_parse_an_existing_rule_and_generate_the_same_rule
-    rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
+    rule = Snort::Rule.parse("  pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
     assert_equal rule.to_s, "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
   end
 
   def test_parse_an_existing_disabled_rule_and_generate_the_same_rule
-    rule = Snort::Rule.parse("#pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
+    rule = Snort::Rule.parse("  #pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
     assert_equal rule.to_s, "#pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
   end
 
   def test_parse_a_disabled_rule_and_generate_the_normalized_disabled_rule
-    rule = Snort::Rule.parse("### pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
+    rule = Snort::Rule.parse("        ### pass udp 192.168.0.1 any <> any 53 (   sid:48;     threshold:type limit,track by_src,count 1,seconds 3600; )")
     assert_equal rule.to_s, "#pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600;)"
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: snort-rule
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.1
 platform: ruby
 authors:
 - chrislee35
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-05 00:00:00.000000000 Z
+date: 2014-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -86,6 +86,7 @@ files:
 - lib/snort/rule/version.rb
 - snort-rule.gemspec
 - test/helper.rb
+- test/test_snort-community-rules.rb
 - test/test_snort-rule.rb
 - test/test_snort_rule_option.rb
 homepage: http://github.com/chrislee35/snort-rule
@@ -114,5 +115,6 @@ specification_version: 4
 summary: Class for parsing and generating Snort Rules
 test_files:
 - test/helper.rb
+- test/test_snort-community-rules.rb
 - test/test_snort-rule.rb
 - test/test_snort_rule_option.rb