RubyGems - snort-rule - Versions diffs - 1.4.1 → 1.5.2 - Mend

snort-rule 1.4.1 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +42 -0
data/lib/snort/rule.rb +28 -1
data/lib/snort/rule/version.rb +1 -1
data/lib/snort/ruleset.rb +165 -0
data/test/helper.rb +1 -0
data/test/test_snort-community-rules.rb +60 -10
metadata +3 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2eabb911b41cd33e776dd69cc3f50ba807ccaf8
-  data.tar.gz: 7bfa5b2a310dc398d362991c6cecd7b1c72fb022
+  metadata.gz: b475f0c004d1ff722c739e102fc44b8de4ae57b0
+  data.tar.gz: 16ceb5394563f2d3c6cbde7ed83c7e5a733cfbaf
 SHA512:
-  metadata.gz: dc95c1a7217f9d624cb887e53a7a1f8bcc0d710a617863f1d484259edec11423033005e4082547e823489bcd0fe4eb8d999dfce13236c6e566b59ca3d639095e
-  data.tar.gz: fb1d93af758a6485bf2ae7a39509f4c117325c0b15c7820d891301450dd9c23223f325437993fd6a1d49c4b2c1098ea8b1c3ec38bfab466f249da99a4ca0c036
+  metadata.gz: d3d74558797835687eb71aa1cb662a89f3d634e063c977bfc9829fc1a28e378e6060b13b281de97069decfe3632e427d2be215d65e3694899d103817fbe70cde
+  data.tar.gz: e9a47d83b028989f5cb91900acad0fb10f162984b9e44fd6c5f3139885719cf358b53e4a97b0a993937e6314944d790bd362576f01d963e794b776e7154cc322

data/README.md CHANGED

@@ -47,6 +47,48 @@ Or install it yourself as:
 	rule = Snort::Rule.parse("pass udp 192.168.0.1 any <> any 53 ( sid:48; threshold:type limit,track by_src,count 1,seconds 3600;  ref:ref1; ref:ref2;)")
 	rule.to_s # => "pass udp 192.168.0.1 any <> any 53 (sid:48; threshold:type limit,track by_src,count 1,seconds 3600; ref:ref1; ref:ref2;)"
+## Snort::RuleSet Usage
+	require 'snort/ruleset'
+	ruleset = Snort::RuleSet::from_file("community.rules")
+	ruleset.length # => 3127
+    rules.length
+    rules.count{|r| ! r.enabled} # => 2522
+    rules.count{|r| r.enabled} # => 605
+    rules.disable_all
+    rules.count{|r| r.enabled} # => 0
+    rules.count{|r| ! r.enabled} # => 3127
+    rules.enable_all
+    rules.count{|r| r.enabled} # => 3127
+    rules.count{|r| ! r.enabled} # => 0
+    rules.disable do |r|
+      r.get_option_first("msg").match(/^"MALWARE\-CNC/)
+    end
+    rules.count{|r| ! r.enabled} # => 392
+    rules.count{|r| r.enabled} # => 2735
+    rules.delete do |r|
+      options = r.get_options("content")
+      if options
+        options.find { |o|
+          o.arguments.find { |a|
+            a.match(/"POST"/)
+          }
+        }
+      else
+        nil
+      end
+    end
+    rules.count{|r| ! r.enabled} # => 343
+    rules.count{|r| r.enabled} # 2726
+    rules.delete_all
+	rules.length # => 0
+    rules.count{|r| r.enabled} # => 0
+    rules.count{|r| ! r.enabled} # => 0
+	ruleset = Snort::RuleSet::from_file("community.rules")
+	ruleset.to_file("new_community.rules")
 ## Contributing
 1. Fork it

data/lib/snort/rule.rb CHANGED

@@ -1,6 +1,5 @@
 require "snort/rule/version"
 require "snort/rule/option"
-require 'pp'
 # Generates and parses snort rules
 #
 # Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
@@ -10,6 +9,22 @@ require 'pp'
 # Copyright:: Copyright (c) 2011 Chris Lee
 # License::   Distributes under the same terms as Ruby
 module Snort
+  class Comment
+    def initialize(comment)
+      @comment = comment
+    end
+    def to_s
+      @comment
+    end
+    def enable
+    end
+    def disable
+    end
+  end
   # This class stores and generates the features of a snort rule
   class Rule
@@ -64,6 +79,14 @@ module Snort
       rule
     end
+    def enable
+      @enabled = true
+    end
+    def disable
+      @enabled = false
+    end
     def add_option(option)
       if option.class == Array
         option = Snort::RuleOption.new(option[0], option[1,100])
@@ -97,6 +120,10 @@ module Snort
       end
       nil
     end
+    def get_options(option_name)
+      @options_hash[option_name]
+    end
     def get_option_first(option_name)
       if @options_hash[option_name]

data/lib/snort/rule/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Snort
   class Rule
-    VERSION = "1.4.1"
+    VERSION = "1.5.2"
   end
 end

data/lib/snort/ruleset.rb ADDED

@@ -0,0 +1,165 @@
+require "snort/rule/version"
+require "open-uri"
+# Generates and parses snort rules
+#
+# Authors::   Chris Lee  (mailto:rubygems@chrislee.dhs.org),
+#             Will Green (will[ at ]hotgazpacho[ dot ]org),
+#             Justin Knox (jknox[ at ]indexzero[ dot ]org)
+#             Ryan Barnett (rbarnett[ at ]modsecurity[ dot ]org)
+# Copyright:: Copyright (c) 2011 Chris Lee
+# License::   Distributes under the same terms as Ruby
+module Snort
+  # This class stores a set of rules and allows actions against them
+  class RuleSet
+    def RuleSet::from_file(file)
+      if file.class == File
+        fh = file
+      else
+        fh = open(file.to_s, 'r')
+      end
+      RuleSet::from_filehandle(fh)
+    end
+    def RuleSet::from_url(url)
+      RuleSet::from_file(url)
+    end
+    def RuleSet::from_filehandle(fh)
+      rules = RuleSet.new
+      fh.each_line do |line|
+        if line =~ /(alert|drop|pass|reject|activate|dynamic|activate|sdrop)/
+          begin
+            rule = Snort::Rule.parse(line)
+            if rule
+              rules << rule
+            else
+              rules << Snort::Comment.new(line.strip)
+            end
+          rescue ArgumentError => e
+          rescue NoMethodError => e
+          end
+        else
+          rules << Snort::Comment.new(line.strip)
+        end
+      end
+      rules
+    end
+    def to_filehandle(fh)
+      @ruleset.each do |rule|
+        fh.puts rule.to_s
+      end
+    end
+    def to_file(file)
+      i_opened_it = false
+      if file.class == File
+        fh = file
+      else
+        i_opened_it = true
+        fh = open(file.to_s, 'w')
+      end
+      to_filehandle(fh)
+      if i_opened_it
+        fh.close
+      end
+    end
+    def initialize(ruleset=[])
+      @ruleset = ruleset
+    end
+    def <<(rule)
+      @ruleset << rule
+    end
+    def -(rule)
+      @ruleset -= rule
+    end
+    def length
+      @ruleset.find_all {|r| r.class == Snort::Rule}.length
+    end
+    def count(&block)
+      @ruleset.find_all {|r| r.class == Snort::Rule}.count(&block)
+    end
+    def enable(&block)
+      count = 0
+      @ruleset.find_all {|r| r.class == Snort::Rule}.each do |rule|
+        if block.call(rule)
+          rule.enable
+          count += 1
+        end
+      end
+      count
+    end
+    def disable(&block)
+      count = 0
+      @ruleset.find_all {|r| r.class == Snort::Rule}.each do |rule|
+        if block.call(rule)
+          rule.disable
+          count += 1
+        end
+      end
+      count
+    end
+    def delete(&block)
+      len = @ruleset.length
+      @ruleset.each do |rule|
+        next if rule.class == Snort::Comment
+        if block.call(rule)
+          @ruleset -= [rule]
+        end
+      end
+      len - @ruleset.length
+    end
+    def enable_all
+      enable do |r|
+        true
+      end
+    end
+    def disable_all
+      disable do |r|
+        true
+      end
+    end
+    def delete_all
+      delete do |r|
+        true
+      end
+    end
+    def enable_by_name(name)
+      enable do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+    def disable_by_name(name)
+      disable do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+    def delete_by_name(name)
+      delete do |r|
+        if r.name =~ name
+          true
+        end
+      end
+    end
+  end
+end

data/test/helper.rb CHANGED

@@ -3,3 +3,4 @@ gem 'minitest'
 require 'minitest/autorun'
 require 'minitest/pride'
 require File.expand_path('../../lib/snort/rule.rb', __FILE__)
+require File.expand_path('../../lib/snort/ruleset.rb', __FILE__)

data/test/test_snort-community-rules.rb CHANGED

@@ -7,6 +7,7 @@ unless Kernel.respond_to?(:require_relative)
 end
 require_relative 'helper'
+require 'pp'
 class TestSnortCommunityRules < Minitest::Test
   def setup
@@ -45,20 +46,69 @@ class TestSnortCommunityRules < Minitest::Test
   end
   def test_complete_rules_file
-    rules = []
-    File.open("test/community-rules/community.rules").each_line do |line|
-      next unless line =~ /alert/
-      begin
-        rule = Snort::Rule.parse(line)
-        if rule
-          rules << rule
-        end
-      rescue ArgumentError => e
-      rescue NoMethodError => e
+    rules = Snort::RuleSet::from_file("test/community-rules/community.rules")
+    assert_equal 3127, rules.length
+    assert_equal 2522, rules.count{|r| ! r.enabled}
+    assert_equal 605, rules.count{|r| r.enabled}
+    rules.disable_all
+    assert_equal 0, rules.count{|r| r.enabled}
+    assert_equal 3127, rules.count{|r| ! r.enabled}
+    rules.enable_all
+    assert_equal 3127, rules.count{|r| r.enabled}
+    assert_equal 0, rules.count{|r| ! r.enabled}
+    rules.disable do |r|
+      r.get_option_first("msg").match(/^"MALWARE\-CNC/)
+    end
+    assert_equal 392, rules.count{|r| ! r.enabled}
+    assert_equal 2735, rules.count{|r| r.enabled}
+    rules.delete do |r|
+      options = r.get_options("content")
+      if options
+        options.find { |o|
+          o.arguments.find { |a|
+            a.match(/"POST"/)
+          }
+        }
+      else
+        nil
       end
     end
+    assert_equal 343, rules.count{|r| ! r.enabled}
+    assert_equal 2726, rules.count{|r| r.enabled}
+    rules.delete_all
+    assert_equal 0, rules.length
+    assert_equal 0, rules.count{|r| r.enabled}
+    assert_equal 0, rules.count{|r| ! r.enabled}
+  end
+  # def test_ruleset_load_from_url
+  #   rules = Snort::RuleSet::from_file("http://test.com/community.rules")
+  #   assert_equal 3127, rules.length
+  #   assert_equal 2522, rules.count{|r| ! r.enabled}
+  #   assert_equal 605, rules.count{|r| r.enabled}
+  # end
+  def test_writing_file
+    rules = Snort::RuleSet::from_file("test/community-rules/community.rules")
     assert_equal 3127, rules.length
     assert_equal 2522, rules.count{|r| ! r.enabled}
     assert_equal 605, rules.count{|r| r.enabled}
+    rules.to_file("test/community-rules/community.rules.test")
+    assert File.exist?("test/community-rules/community.rules.test")
+    total = enabled = disabled = 0
+    open("test/community-rules/community.rules.test", 'r').each_line do |l|
+      if l =~ /^(#)?\s*(alert|drop|pass|reject|activate|dynamic|activate|sdrop)/
+        total += 1
+        if l =~ /^#/
+          disabled += 1
+        else
+          enabled += 1
+        end
+      end
+    end
+    assert_equal 3127, total
+    assert_equal 2522, disabled
+    assert_equal 605, enabled
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: snort-rule
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.5.2
 platform: ruby
 authors:
 - chrislee35
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-11-22 00:00:00.000000000 Z
+date: 2014-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -84,6 +84,7 @@ files:
 - lib/snort/rule.rb
 - lib/snort/rule/option.rb
 - lib/snort/rule/version.rb
+- lib/snort/ruleset.rb
 - snort-rule.gemspec
 - test/helper.rb
 - test/test_snort-community-rules.rb