snortor 0.0.1

data/.gitignore

@@ -0,0 +1,6 @@
+pkg/*
+*.gem
+.bundle
+doc
+.yardoc
+doc.sh

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in snortor.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,14 @@
+PATH
+  remote: .
+  specs:
+    snortor (0.0.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  snortor!

data/README.md

@@ -0,0 +1,67 @@
+# FIDIUS Snortor
+
+Snortor provides an interface to configure snort rules. 
+You can:
+
+  *   import rules 
+  *   export rules 
+  *   find rules by message
+  *   activate or deactivate single rules  
+  *   import/export possible via scp
+
+## Installation
+
+Simply install this package with Rubygems:
+
+    $ gem install snortor
+
+## Usage
+
+Some examples on how Snortor can be used.
+
+    require 'snortor'
+
+    # import some rules from remote host
+    Snortor.import_rules({:host=>"10.10.10.254",:user=>"root",:password=>"xxx",:remote_path=>"/etc/snort/rules/"})
+
+    # or import rule files from local path
+    Snortor.import_rules("/home/user/myrules")
+
+    # work with your rules
+    puts "#{Snortor.rules.size}"
+    puts "#{Snortor.rules[1].active}"
+    Snortor.rules[1].active = false
+
+    # find specific rules 
+    rule = Snortor.rules.find_by_msg("BAD-TRAFFIC")
+    rule.active = true
+
+    # find all rules by name
+    rules = Snortor.rules.find_all_by_msg("BAD-TRAFFIC")    
+    rules.each do |rule|
+      rule.active = false
+    end
+
+    Snortor.export_rules({:host=>"10.10.10.254",:user=>"root",:password=>"xxx",:remote_path=>"/etc/snort/rules/"})
+
+## Authors and Contact
+
+fidius-evasiondb was written by
+
+* FIDIUS Intrusion Detection with Intelligent User Support
+  <grp-fidius+evasiondb@tzi.de>, <http://fidius.me>
+* in particular:
+ * Bernhard Katzmarski <bkatzm+snortor@tzi.de>
+
+If you have any questions, remarks, suggestion, improvements, etc. feel free to drop a line at the 
+addresses given above. You might also join `#fidius` on Freenode or use the contact form on our
+[website](http://fidius.me/en/contact).
+
+
+# Acknowledgement
+
+This Gem uses snort-rule from Chris Lee which provided the ability to parse rules.
+
+## License
+
+Simplified BSD License and GNU GPLv2. See also the file LICENSE.

data/Rakefile

@@ -0,0 +1,13 @@
+# fix error: cant convert nil into String
+# Rakefile:1 in include?
+unless ENV['GEM_HOME'] && (__FILE__.include? ENV['GEM_HOME'])
+  require 'bundler'
+  Bundler::GemHelper.install_tasks
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end

data/lib/rule.rb

@@ -0,0 +1,36 @@
+# This module is provided by snort-rule gem.
+# Only do a monkey patch here to have the activation ability of single rules.
+module Snort
+  # this class is extended to have activation ability of single rules
+  class Rule
+    attr_accessor :active
+    attr_accessor :line
+
+
+    def initialize(kwargs={})
+      super(kwargs)
+      @active=true
+    end
+
+    def active=(a)
+      @active = a
+    end
+
+    def message
+      opts['msg']
+    end
+    def self.parse_rule(line)
+      rule = self.parse(line)
+      if rule.message
+        rule.line = line
+        return rule
+      else
+        return nil
+      end
+    end
+
+    def to_line
+      @line.to_s
+    end
+  end
+end

data/lib/rule_finder.rb

@@ -0,0 +1,25 @@
+module Snortor
+  module RuleFinder
+    def find_by_msg(title)
+      self.each do |r|
+        begin
+          msg = r.opts["msg"]
+          return r if msg[title]
+        rescue
+        end
+      end
+      return nil
+    end
+
+    def find_all_by_msg(title)
+      res = []
+      self.each do |rule|
+        msg = rule.opts["msg"]
+        if msg[title]
+          res << rule 
+        end
+      end
+      return res
+    end
+  end
+end

data/lib/rule_loader.rb

@@ -0,0 +1,23 @@
+module Snortor
+  module RuleLoader
+    def read_rules_from_file(f,&block)
+      file = File.new(f, "r")
+      while (line = file.gets)
+        block.call(f,line)
+      end
+    end
+
+    def read_rules_from_dir(d,&block)
+      Dir.foreach(d) do |filename|
+        full_file_path = File.join(d,filename)
+        next if filename == ".." || filename == "."
+
+        if File.directory?(full_file_path)
+          read_rules_from_dir(full_file_path,&block)
+          next
+        end
+        read_rules_from_file(full_file_path,&block) if File.extname(full_file_path) == ".rules"
+      end
+    end
+  end
+end

data/lib/rulefile.rb

@@ -0,0 +1,19 @@
+module Snortor
+  class Rulefile < Array
+    attr_accessor :filename
+    attr_accessor :filepath
+    attr_accessor :relative_path
+
+    def initialize(filepath)
+      raise Errno::ENOENT unless File.exists?(filepath)
+      @filepath = filepath
+      @filename = File.basename(filepath)
+    end
+
+    def calc_relative_path(fullpath)
+      workingdir = fullpath.split("/")
+      thispath = @filepath.split("/")
+      @relative_path = (thispath-workingdir-[filename]).join("/")
+    end
+  end
+end

data/lib/rulefile_collection.rb

@@ -0,0 +1,120 @@
+require File.join(SNORTOR_BASE,'rule_loader')
+require File.join(SNORTOR_BASE,'rule_finder')
+
+module Snortor
+  class RulefileCollection < Array
+    include RuleLoader
+    include RuleFinder
+
+    alias_method :old_push, :<<
+    alias_method :old_each, :each
+
+    def <<(a)
+      raise "only instances of Rulefile allowed" unless a.class == Rulefile
+      old_push(a)
+    end
+
+    def [](index)
+      offset = 0
+      self.old_each do |rule_file|
+        if index < offset+rule_file.size
+          return rule_file[index-offset]
+          break
+        end
+        offset += rule_file.size
+      end
+    end
+
+    def size
+      res = 0
+      self.old_each do |rule_file|
+        res += rule_file.size
+      end
+      res
+    end
+
+    def each(&block)
+      self.old_each do |rulefile|
+        rulefile.each do |rule|
+          block.call(rule)
+        end
+      end
+      nil
+    end
+
+    def import_rules(path)
+      rulefile = nil
+      if File.directory?(path)
+        read_rules_from_dir(path) do |filepath,line|
+          if rulefile == nil || rulefile.filepath != filepath
+            rulefile = Rulefile.new(filepath)
+            rulefile.calc_relative_path(path)
+            self << rulefile
+          end
+          begin
+            # only parse lines that seem to be a rule
+            # maybe handle includes and comments as well
+            if line["alert"]
+              if line.strip[0] == "#"
+                line[line.index("#")] = ""
+                rule = Snort::Rule.parse_rule(line.strip)
+                rule.active = false
+                rulefile << rule if rule
+              else
+                rulefile << Snort::Rule.parse_rule(line.strip)
+              end
+            end
+          rescue
+            puts "Problem parsing line #{line} in #{filepath}"
+          end
+        end
+      else
+
+        read_rules_from_file(path) do |filepath,line|
+          if rulefile == nil || rulefile.filepath != filepath
+            rulefile = Rulefile.new(filepath)
+            rulefile.calc_relative_path(path)
+            self << rulefile
+          end
+          begin
+            # only parse lines that seem to be a rule
+            # maybe handle includes and comments as well
+            if line["alert"]
+              if line.strip[0] == "#"
+                line[line.index("#")] = ""
+                rule = Snort::Rule.parse_rule(line.strip)
+                rule.active = false
+                rulefile << rule if rule
+              else
+                rulefile << Snort::Rule.parse_rule(line.strip)
+              end
+            end
+          rescue
+            puts "Problem parsing line #{line} in #{filepath}"
+          end
+        end
+      end
+    end
+
+    def write_rules(path)
+      Dir.mkdir(path) if !File.exists?(path)
+      self.old_each do |rulefile|
+        begin
+          dest = File.join(path,rulefile.relative_path,rulefile.filename)
+          file = File.new(dest,"w")
+        rescue Errno::ENOENT
+          Dir.mkdir(File.join(path,rulefile.relative_path))
+          file = File.new(dest,"w")
+        end
+        rulefile.each do |rf|
+          if rf.active
+            file.write(rf.to_line.gsub("\n","")+"\n")
+          else
+            file.write("# "+rf.to_line.gsub("\n","")+"\n")
+          end
+        end
+        file.close
+      end
+    end
+  end
+end

data/lib/snortor.rb

@@ -0,0 +1,135 @@
+require 'rubygems'
+SNORTOR_BASE = File.expand_path('..', __FILE__)
+
+require 'snort-rule'
+require 'net/ssh'
+require 'net/scp'
+require File.join(SNORTOR_BASE,'rule')
+require File.join(SNORTOR_BASE,'rulefile')
+require File.join(SNORTOR_BASE,'rulefile_collection')
+require 'tmpdir'
+
+#Snortor provides an interface to configure snort rules. You can:
+#  *   import rules
+#  *   export rules
+#  *   find rules by message
+#  *   activate or deactivate single rules
+#  *   import/export possible via scp
+module Snortor
+  class << self
+    @@rules = RulefileCollection.new
+
+    # after import you can work with the rules like
+    #   puts "#{Snortor.rules.size}"
+    #   puts "#{Snortor.rules[1].active}"
+    #   Snortor.rules[1].active = false
+    #
+    def rules
+      @@rules
+    end
+
+    # imports rules from a local_path or via scp connection from a remote host.
+    #
+    #   import_rules("/my/local/path")
+    #
+    #   import_rules({:host=>x,:user=>x,:password=>x,:remote_path=>x})
+    def import_rules(args)
+      clear
+      if args.class == Hash
+        @@rules.import_rules(download_from_host(args))
+      elsif args.class == String
+        @@rules.import_rules(args)
+      else
+        raise "can not use #{args.class}. provide string or hash for import_rules"
+      end
+    end
+
+    # exports rules to a local directory or via scp connection to a remote host.
+    #
+    #   export_rules("/my/local/path")
+    #
+    #   export_rules({:host=>x,:user=>x,:password=>x,:remote_path=>xa})
+    def export_rules(args)
+      if args.class == Hash
+        local_path = args[:local_path]
+        local_path = File.join(Dir.tmpdir,"rules") unless local_path
+        Dir.mkdir(local_path) unless File.exists?(local_path)
+        @@rules.write_rules(local_path)
+        args[:local_path] = local_path
+        upload_to_host(args)
+      elsif args.class == String
+        @@rules.write_rules(args)
+      else
+        raise "can not use #{args.class}. provide string or hash for export_rules"
+      end
+    end
+
+    def download_from_host(conn={})
+      if conn[:local_path]
+        local_path = conn[:local_path]
+      else
+        local_path = File.join(Dir.tmpdir)
+      end
+      Dir.mkdir(local_path) unless File.exists?(local_path)
+      raise "no host given for scp download" unless conn[:host]
+      raise "no user given for scp download" unless conn[:user]
+      raise "no password given for scp download" unless conn[:password]
+      raise "no path given for scp download" unless conn[:remote_path]
+
+      options = {}
+      options[:password] = conn[:password]
+      options[:auth_methods] = ["password"]
+      options = options.merge(conn[:options])
+
+      Net::SSH.start(conn[:host], conn[:user], options) do |ssh|
+        ssh.scp.download!(conn[:remote_path], local_path,:recursive=>true) do |ch, name, sent, total|
+          begin
+            print "\r#{name}: #{(sent.to_f * 100 / total.to_f).to_i}%\e[0K"
+          rescue
+          end
+        end
+      end
+      return local_path+"/rules"
+    end
+
+    def upload_to_host(conn={})
+      raise "no host given for scp upload" unless conn[:host]
+      raise "no user given for scp upload" unless conn[:user]
+      raise "no password given for scp upload" unless conn[:password]
+      raise "no remote_path given for scp upload" unless conn[:remote_path]
+      raise "no local_path given for scp upload" unless conn[:local_path]
+
+      options = {}
+      options[:password] = conn[:password]
+      options[:auth_methods] = ["password"]
+      options = options.merge(conn[:options]) if conn[:options]
+
+      Net::SSH.start(conn[:host], conn[:user], options) do |ssh|
+        ssh.scp.upload!(conn[:local_path], conn[:remote_path],:recursive=>true) do |ch, name, sent, total|
+          begin
+            print "\r#{name}: #{(sent.to_f * 100 / total.to_f).to_i}%\e[0K"
+          rescue
+          end
+        end
+      end
+    end
+
+    # clears the rule array
+    #
+    def clear
+      @@rules.clear
+    end
+
+    # find a rule by its message
+    #   rule = Snortor.rules.find_by_msg("BAD-TRAFFIC")
+    def find_by_msg(msg)
+      @@rules.find_by_msg(msg)
+    end
+
+    # find all rules by its message
+    #   rules = Snortor.rules.find_all_by_msg("BAD-TRAFFIC")
+    def find_all_by_msg(msg)
+      @@rules.find_all_by_msg(msg)
+    end
+  end
+end

data/lib/snortor/version.rb

@@ -0,0 +1,3 @@
+module Snortor
+  VERSION = "0.0.1"
+end

data/snortor.gemspec

@@ -0,0 +1,32 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "snortor/version"
+
+Gem::Specification.new do |s|
+  s.name        = "snortor"
+  s.version     = Snortor::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Bernhard Katzmarski"]
+  s.email       = ["bkatzm@tzi.de"]
+  s.homepage    = "http://www.fidius.me"
+
+  s.summary     = %q{Snortor provides an interface to configure snort rules. You can:
+  *   import rules 
+  *   export rules 
+  *   find rules by message
+  *   activate or deactivate single rules  
+  *   import/export possible via scp
+  }
+
+  s.description = %q{Descriptions are provided in doc and at fidius.me}
+
+  s.rubyforge_project = "snortor"
+
+  s.add_dependency "snort-rule", ">= 0.0.1"
+  s.add_dependency "net-scp", "~> 1.0.4"  
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/test/fixtures/ruleset1.rules

@@ -0,0 +1,3 @@
+alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
+

data/test/fixtures/ruleset2.rules

@@ -0,0 +1,4 @@
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; uricontent:"/servlet/JavascriptProbe"; nocase; nocase; uricontent:"documentElement=true"; nocase; uricontent:"regexp=true"; nocase; uricontent:"frames=true"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010622; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html; reference:url,doc.emergingthreats.net/2010623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010623; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html; reference:url,doc.emergingthreats.net/2010623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010623; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;)

data/test/helper.rb

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'fileutils'
+
+BASE_DIR = File.expand_path('../..', __FILE__)
+FIXTURES_DIR = File.join(BASE_DIR,"test","fixtures")
+require File.join(BASE_DIR,"lib","snortor")
+

data/test/out/ruleset1.rules

@@ -0,0 +1,2 @@
+alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)

data/test/out/ruleset2.rules

@@ -0,0 +1,4 @@
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; uricontent:"/servlet/JavascriptProbe"; nocase; nocase; uricontent:"documentElement=true"; nocase; uricontent:"regexp=true"; nocase; uricontent:"frames=true"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010622; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html; reference:url,doc.emergingthreats.net/2010623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010623; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; uricontent:"/level/15/exec/-/"; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; classtype:web-application-attack; reference:url,articles.techrepublic.com.com/5100-10878_11-6039967.html; reference:url,doc.emergingthreats.net/2010623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Cisco; sid:2010623; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;)

data/test/test_snortor.rb

@@ -0,0 +1,89 @@
+# encoding: UTF-8
+require 'test/unit'
+require_relative "helper"
+
+class SnortorTest < Test::Unit::TestCase
+  def delete_out_directory
+    out = File.join(BASE_DIR,"test","out")
+    FileUtils.rm_rf(out) if Dir.exists?(out)
+  end
+
+  def test_import_rules
+    Snortor.import_rules(FIXTURES_DIR)
+    assert_equal 6, Snortor.rules.size
+    assert !Snortor.rules[4].active
+
+    assert_equal Snortor.rules.find_all_by_msg("BAD-TRAFFIC").size, 2
+    assert Snortor.rules.find_by_msg("BAD-TRAFFIC")
+
+    assert_equal Snortor.rules.find_all_by_msg("Command Execution").size, 2
+    assert Snortor.rules.find_by_msg("Command Execution")
+
+    assert_equal Snortor.rules.find_all_by_msg("TFTP GET filename overflow").size, 0
+
+
+    delete_out_directory
+    Snortor.rules[0].active = false
+    Snortor.export_rules(File.join(BASE_DIR,"test","out"))
+
+    Snortor.import_rules(File.join(BASE_DIR,"test","out"))
+    assert_equal 6, Snortor.rules.size
+    assert !Snortor.rules[0].active
+    assert Snortor.rules[1].active
+    assert Snortor.rules[2].active
+    assert Snortor.rules[3].active
+    assert !Snortor.rules[4].active
+  end
+
+  def test_ruleset
+    a = Snortor::Rulefile.new(File.join(FIXTURES_DIR,"ruleset1.rules"))
+
+    a << Snort::Rule.new({})
+    assert_raise ArgumentError do
+      a << Snortor::Rulefile.new #error
+    end
+    assert_raise Errno::ENOENT do
+      a << Snortor::Rulefile.new("path")
+    end
+  end
+
+
+  def test_ruleset_collection
+    a = Snortor::RulefileCollection.new
+
+    rf1 = Snortor::Rulefile.new(File.join(FIXTURES_DIR,"ruleset1.rules"))
+    r1 = Snort::Rule.new({})
+    r2 = Snort::Rule.new({})
+    r3 = Snort::Rule.new({})
+    r4 = Snort::Rule.new({})
+    r5 = Snort::Rule.new({})
+
+    rf1 << r1
+    rf1 << r2
+    rf1 << r3
+
+    rf2 = Snortor::Rulefile.new(File.join(FIXTURES_DIR,"ruleset2.rules"))
+    rf2 << r4
+    rf2 << r5
+
+    a << rf1
+    a << rf2
+
+    assert_equal 5, a.size
+
+    assert_equal r1, a[0]
+    assert_equal r2, a[1]
+    assert_equal r3, a[2]
+    assert_equal r4, a[3]
+    assert_equal r5, a[4]
+  end
+
+  def test_set_deactivated_rule_active
+    Snortor.import_rules(FIXTURES_DIR)
+    assert_equal 6, Snortor.rules.size
+    Snortor.rules.each do |rule|
+      rule.active = true
+    end
+    Snortor.export_rules(File.join(BASE_DIR,"test","out"))
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification 
+name: snortor
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Bernhard Katzmarski
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-12-01 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: snort-rule
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.0.1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: net-scp
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 1.0.4
+  type: :runtime
+  version_requirements: *id002
+description: Descriptions are provided in doc and at fidius.me
+email: 
+- bkatzm@tzi.de
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- lib/rule.rb
+- lib/rule_finder.rb
+- lib/rule_loader.rb
+- lib/rulefile.rb
+- lib/rulefile_collection.rb
+- lib/snortor.rb
+- lib/snortor/version.rb
+- snortor.gemspec
+- test/fixtures/ruleset1.rules
+- test/fixtures/ruleset2.rules
+- test/helper.rb
+- test/out/ruleset1.rules
+- test/out/ruleset2.rules
+- test/test_snortor.rb
+has_rdoc: true
+homepage: http://www.fidius.me
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: snortor
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: "Snortor provides an interface to configure snort rules. You can: *   import rules  *   export rules  *   find rules by message *   activate or deactivate single rules   *   import/export possible via scp"
+test_files: []
+