snort-rule 1.4.1 → 1.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2eabb911b41cd33e776dd69cc3f50ba807ccaf8
-  data.tar.gz: 7bfa5b2a310dc398d362991c6cecd7b1c72fb022
+  metadata.gz: b475f0c004d1ff722c739e102fc44b8de4ae57b0
+  data.tar.gz: 16ceb5394563f2d3c6cbde7ed83c7e5a733cfbaf
 SHA512:
-  metadata.gz: dc95c1a7217f9d624cb887e53a7a1f8bcc0d710a617863f1d484259edec11423033005e4082547e823489bcd0fe4eb8d999dfce13236c6e566b59ca3d639095e
-  data.tar.gz: fb1d93af758a6485bf2ae7a39509f4c117325c0b15c7820d891301450dd9c23223f325437993fd6a1d49c4b2c1098ea8b1c3ec38bfab466f249da99a4ca0c036
+  metadata.gz: d3d74558797835687eb71aa1cb662a89f3d634e063c977bfc9829fc1a28e378e6060b13b281de97069decfe3632e427d2be215d65e3694899d103817fbe70cde
+  data.tar.gz: e9a47d83b028989f5cb91900acad0fb10f162984b9e44fd6c5f3139885719cf358b53e4a97b0a993937e6314944d790bd362576f01d963e794b776e7154cc322

data/README.md

@@ -47,6 +47,48 @@ Or install it yourself as:
 	rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600;  ref:ref1; ref:ref2;)")
 	rule.to_s # => "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600; ref:ref1; ref:ref2;)"
 
+## Snort::RuleSet Usage
+
+	require 'snort/ruleset'
+	ruleset = Snort::RuleSet::from_file("community.rules")
+	ruleset.length # => 3127
+    rules.length
+    rules.count{|r| ! r.enabled} # => 2522
+    rules.count{|r| r.enabled} # => 605
+    rules.disable_all
+    rules.count{|r| r.enabled} # => 0
+    rules.count{|r| ! r.enabled} # => 3127
+    rules.enable_all
+    rules.count{|r| r.enabled} # => 3127
+    rules.count{|r| ! r.enabled} # => 0
+    rules.disable do |r|
+      r.get_option_first("msg").match(/^"MALWARE\-CNC/)
+    end
+    rules.count{|r| ! r.enabled} # => 392
+    rules.count{|r| r.enabled} # => 2735
+    rules.delete do |r|
+      options = r.get_options("content")
+      if options
+        options.find { |o|
+          o.arguments.find { |a|
+            a.match(/"POST"/)
+          }
+        }
+      else
+        nil
+      end
+    end
+    rules.count{|r| ! r.enabled} # => 343
+    rules.count{|r| r.enabled} # 2726
+    rules.delete_all
+	rules.length # => 0
+    rules.count{|r| r.enabled} # => 0
+    rules.count{|r| ! r.enabled} # => 0
+	
+	ruleset = Snort::RuleSet::from_file("community.rules")
+	ruleset.to_file("new_community.rules")
+		
+
 ## Contributing
 
 1. Fork it

data/lib/snort/rule.rb

@@ -1,6 +1,5 @@
 require "snort/rule/version"
 require "snort/rule/option"
-require 'pp'
 # Generates and parses snort rules
 #
 # Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
@@ -10,6 +9,22 @@ require 'pp'
 # Copyright:: Copyright (c) 2011 Chris Lee
 # License::   Distributes under the same terms as Ruby
 module Snort
+  
+  class Comment
+    def initialize(comment)
+      @comment = comment
+    end
+    
+    def to_s
+      @comment
+    end
+    
+    def enable
+    end
+    
+    def disable
+    end
+  end
 
   # This class stores and generates the features of a snort rule
   class Rule
@@ -64,6 +79,14 @@ module Snort
       rule
     end
     
+    def enable
+      @enabled = true
+    end
+    
+    def disable
+      @enabled = false
+    end
+    
     def add_option(option)
       if option.class == Array
         option = Snort::RuleOption.new(option[0], option[1,100])
@@ -97,6 +120,10 @@ module Snort
       end
       nil
     end
+    
+    def get_options(option_name)
+      @options_hash[option_name]
+    end
 
     def get_option_first(option_name)
       if @options_hash[option_name]

data/lib/snort/rule/version.rb

@@ -1,5 +1,5 @@
 module Snort
   class Rule
-    VERSION = "1.4.1"
+    VERSION = "1.5.2"
   end
 end

data/lib/snort/ruleset.rb

@@ -0,0 +1,165 @@
+require "snort/rule/version"
+require "open-uri"
+
+# Generates and parses snort rules
+#
+# Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
+#             Will Green (will[ at ]hotgazpacho[ dot ]org),
+#             Justin Knox (jknox[ at ]indexzero[ dot ]org)
+#             Ryan Barnett (rbarnett[ at ]modsecurity[ dot ]org)
+# Copyright:: Copyright (c) 2011 Chris Lee
+# License::   Distributes under the same terms as Ruby
+module Snort
+  # This class stores a set of rules and allows actions against them
+  class RuleSet
+    
+    def RuleSet::from_file(file)
+      if file.class == File
+        fh = file
+      else
+        fh = open(file.to_s, 'r')
+      end
+      RuleSet::from_filehandle(fh)
+    end
+    
+    def RuleSet::from_url(url)
+      RuleSet::from_file(url)
+    end
+    
+    def RuleSet::from_filehandle(fh)
+      rules = RuleSet.new
+      fh.each_line do |line|
+        if line =~ /(alert|drop|pass|reject|activate|dynamic|activate|sdrop)/
+          begin
+            rule = Snort::Rule.parse(line)
+            if rule
+              rules << rule
+            else
+              rules << Snort::Comment.new(line.strip)
+            end
+          rescue ArgumentError => e
+          rescue NoMethodError => e
+          end
+        else
+          rules << Snort::Comment.new(line.strip)
+        end
+      end
+      rules
+    end
+    
+    def to_filehandle(fh)
+      @ruleset.each do |rule|
+        fh.puts rule.to_s
+      end
+    end
+    
+    def to_file(file)
+      i_opened_it = false
+      if file.class == File
+        fh = file
+      else
+        i_opened_it = true
+        fh = open(file.to_s, 'w')
+      end
+      to_filehandle(fh)
+      if i_opened_it
+        fh.close
+      end
+    end
+    
+    def initialize(ruleset=[])
+      @ruleset = ruleset
+    end
+    
+    def <<(rule)
+      @ruleset << rule
+    end
+    
+    def -(rule)
+      @ruleset -= rule
+    end
+    
+    def length
+      @ruleset.find_all {|r| r.class == Snort::Rule}.length
+    end
+    
+    def count(&block)
+      @ruleset.find_all {|r| r.class == Snort::Rule}.count(&block)
+    end
+    
+    def enable(&block)
+      count = 0
+      @ruleset.find_all {|r| r.class == Snort::Rule}.each do |rule|
+        if block.call(rule)
+          rule.enable
+          count += 1
+        end
+      end
+      count
+    end
+    
+    def disable(&block)
+      count = 0
+      @ruleset.find_all {|r| r.class == Snort::Rule}.each do |rule|
+        if block.call(rule)
+          rule.disable
+          count += 1
+        end
+      end
+      count
+    end
+    
+    def delete(&block)
+      len = @ruleset.length
+      @ruleset.each do |rule|
+        next if rule.class == Snort::Comment
+        if block.call(rule)
+          @ruleset -= [rule]
+        end
+      end
+      len - @ruleset.length
+    end
+    
+    def enable_all
+      enable do |r|
+        true
+      end
+    end
+    
+    def disable_all
+      disable do |r|
+        true
+      end
+    end
+    
+    def delete_all
+      delete do |r|
+        true
+      end
+    end
+
+    def enable_by_name(name)
+      enable do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+    
+    def disable_by_name(name)
+      disable do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+    
+    def delete_by_name(name)
+      delete do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+  end
+end

data/test/helper.rb

@@ -3,3 +3,4 @@ gem 'minitest'
 require 'minitest/autorun'
 require 'minitest/pride'
 require File.expand_path('../../lib/snort/rule.rb', __FILE__)
+require File.expand_path('../../lib/snort/ruleset.rb', __FILE__)

data/test/test_snort-community-rules.rb

@@ -7,6 +7,7 @@ unless Kernel.respond_to?(:require_relative)
 end
 
 require_relative 'helper'
+require 'pp'
 
 class TestSnortCommunityRules < Minitest::Test
   def setup
@@ -45,20 +46,69 @@ class TestSnortCommunityRules < Minitest::Test
   end
   
   def test_complete_rules_file
-    rules = []
-    File.open("test/community-rules/community.rules").each_line do |line|
-      next unless line =~ /alert/
-      begin
-        rule = Snort::Rule.parse(line)
-        if rule
-          rules << rule
-        end
-      rescue ArgumentError => e
-      rescue NoMethodError => e
+    rules = Snort::RuleSet::from_file("test/community-rules/community.rules")
+    assert_equal 3127, rules.length
+    assert_equal 2522, rules.count{|r| ! r.enabled}
+    assert_equal 605, rules.count{|r| r.enabled}
+    rules.disable_all
+    assert_equal 0, rules.count{|r| r.enabled}
+    assert_equal 3127, rules.count{|r| ! r.enabled}
+    rules.enable_all
+    assert_equal 3127, rules.count{|r| r.enabled}
+    assert_equal 0, rules.count{|r| ! r.enabled}
+    rules.disable do |r|
+      r.get_option_first("msg").match(/^"MALWARE\-CNC/)
+    end
+    assert_equal 392, rules.count{|r| ! r.enabled}
+    assert_equal 2735, rules.count{|r| r.enabled}
+    rules.delete do |r|
+      options = r.get_options("content")
+      if options
+        options.find { |o|
+          o.arguments.find { |a|
+            a.match(/"POST"/)
+          }
+        }
+      else
+        nil
       end
     end
+    assert_equal 343, rules.count{|r| ! r.enabled}
+    assert_equal 2726, rules.count{|r| r.enabled}
+    rules.delete_all
+    assert_equal 0, rules.length
+    assert_equal 0, rules.count{|r| r.enabled}
+    assert_equal 0, rules.count{|r| ! r.enabled}    
+  end
+  
+  # def test_ruleset_load_from_url
+  #   rules = Snort::RuleSet::from_file("http://test.com/community.rules")
+  #   assert_equal 3127, rules.length
+  #   assert_equal 2522, rules.count{|r| ! r.enabled}
+  #   assert_equal 605, rules.count{|r| r.enabled}
+  # end
+  
+  def test_writing_file
+    rules = Snort::RuleSet::from_file("test/community-rules/community.rules")
     assert_equal 3127, rules.length
     assert_equal 2522, rules.count{|r| ! r.enabled}
     assert_equal 605, rules.count{|r| r.enabled}
+    rules.to_file("test/community-rules/community.rules.test")
+    assert File.exist?("test/community-rules/community.rules.test")
+    total = enabled = disabled = 0
+    open("test/community-rules/community.rules.test", 'r').each_line do |l|
+      if l =~ /^(#)?\s*(alert|drop|pass|reject|activate|dynamic|activate|sdrop)/
+        total += 1
+        if l =~ /^#/
+          disabled += 1
+        else
+          enabled += 1
+        end
+      end
+    end
+    assert_equal 3127, total
+    assert_equal 2522, disabled
+    assert_equal 605, enabled
   end
+    
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: snort-rule
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.5.2
 platform: ruby
 authors:
 - chrislee35
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-22 00:00:00.000000000 Z
+date: 2014-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -84,6 +84,7 @@ files:
 - lib/snort/rule.rb
 - lib/snort/rule/option.rb
 - lib/snort/rule/version.rb
+- lib/snort/ruleset.rb
 - snort-rule.gemspec
 - test/helper.rb
 - test/test_snort-community-rules.rb