threshold 0.0.3 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +62 -3
- data/lib/threshold/event_filter.rb +1 -1
- data/lib/threshold/rate_filter.rb +1 -1
- data/lib/threshold/suppression.rb +1 -1
- data/lib/threshold/thresholds.rb +59 -17
- data/lib/threshold/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a1bada0dac9f9f832e9ffcc50fa9faea1ab14a3d
|
|
4
|
+
data.tar.gz: 30cf5b417e323b2508e3d32291809d8b6d92f4a2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b1a99450cd9e0187944d439a0194033ddefbabac23a49f283f4e898f9f51515726751f20cc7d810774dedb10dc5e9eeeb895c0d67e2bf96d360321e2ced76fc2
|
|
7
|
+
data.tar.gz: 3144ca335eb414503518ce1b67eed32b1c0888eb49c403955338cb214b35bc948b4c3456436e0bc5bdef60bfef56f7710f06f70584d269e1e9e074c2d974b789
|
data/README.md
CHANGED
|
@@ -1,7 +1,66 @@
|
|
|
1
1
|
# snort-thresholds
|
|
2
|
+
[](http://badge.fury.io/rb/threshold)
|
|
2
3
|
|
|
3
|
-
|
|
4
|
+
Threshold is an ORM to map to Snort 2.9.x threshold.conf files.
|
|
4
5
|
|
|
5
|
-
|
|
6
|
+
It currently supports all standalone snort filters generally found in a threshold configuration. These include suppressions, event_filters, and rate_filters as defined in [Snort README.filters](https://github.com/jasonish/snort/blob/master/doc/README.filters
|
|
7
|
+
).
|
|
8
|
+
|
|
9
|
+
## Code Status
|
|
10
|
+
|
|
11
|
+
[](https://travis-ci.org/shadowbq/snort-thresholds)
|
|
12
|
+
[](https://codeclimate.com/github/shadowbq/snort-thresholds)
|
|
13
|
+
[](https://codeclimate.com/github/shadowbq/snort-thresholds)
|
|
14
|
+
|
|
15
|
+
Look at the branch **tags** for current & prior releases.
|
|
16
|
+
|
|
17
|
+
## Installation
|
|
18
|
+
|
|
19
|
+
`$> gem install threshold`
|
|
20
|
+
|
|
21
|
+
## Usage
|
|
22
|
+
|
|
23
|
+
This is an example Threshold accessing `/tmp/threshold.conf` for loading, appending a new suppression, validiating the configuration, and writing the changes back to the file (flush).
|
|
24
|
+
|
|
25
|
+
```ruby
|
|
26
|
+
2.1.2 :001 > require 'threshold'
|
|
27
|
+
=> true
|
|
28
|
+
2.1.2 :002 > a = Threshold::Thresholds.new
|
|
29
|
+
=> []
|
|
30
|
+
2.1.2 :003 > a.file = '/tmp/threshold.conf'
|
|
31
|
+
=> "/tmp/threshold.conf"
|
|
32
|
+
2.1.2 :004 > a.loadfile
|
|
33
|
+
=> [{"SUPPRESSION"=>["suppress gen_id 1, sig_id 2"], "GID"=>["1", nil, nil], "SID"=>["2", nil, nil]}, {"SUPPRESSION"=>["suppress gen_id 444, sig_id 2"], "GID"=>["444", nil, nil], "SID"=>["2", nil, nil]}]
|
|
34
|
+
2.1.2 :005 > a.valid?
|
|
35
|
+
=> true
|
|
36
|
+
2.1.2 :006 > b = Threshold::Suppression.new
|
|
37
|
+
=> #<Threshold::Suppression:0x00000002a576f0>
|
|
38
|
+
2.1.2 :007 > b.gid=124
|
|
39
|
+
=> 124
|
|
40
|
+
2.1.2 :008 > b.sid=45544
|
|
41
|
+
=> 45544
|
|
42
|
+
2.1.2 :009 > a << b
|
|
43
|
+
=> [#<Threshold::Suppression:0x00000002a87b98 @gid=1, @sid=2>, #<Threshold::Suppression:0x00000002a846c8 @gid=444, @sid=2>, #<Threshold::Suppression:0x00000002a576f0 @gid=124, @sid=45544>]
|
|
44
|
+
2.1.2 :010 > a.flush
|
|
45
|
+
=> true
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
Filtering the Threshold Object can be achieved with common Array like methods. (ex. `reject` )
|
|
49
|
+
|
|
50
|
+
```ruby
|
|
51
|
+
require 'threshold'
|
|
52
|
+
a = Threshold::Thresholds.new
|
|
53
|
+
a.file = '/tmp/threshold.conf'
|
|
54
|
+
a.loadfile
|
|
55
|
+
a = a.reject{|t| t.gid==1}
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
## Contibuting
|
|
59
|
+
|
|
60
|
+
* See [CONTRIBUTING.md](/CONTRIBUTING.md)
|
|
61
|
+
|
|
62
|
+
## Credits
|
|
63
|
+
|
|
64
|
+
* [Shadowbq](https://github.com/shadowbq)
|
|
65
|
+
* [Yabbo](https://github.com/yabbo)
|
|
6
66
|
|
|
7
|
-
https://github.com/jasonish/snort/blob/master/doc/README.filters
|
|
@@ -121,7 +121,7 @@ module Threshold
|
|
|
121
121
|
self.count = result["COUNT"].compact.first.to_i
|
|
122
122
|
self.seconds = result["SECONDS"].compact.first.to_i
|
|
123
123
|
if result.key?("COMMENT")
|
|
124
|
-
self.comment = result["COMMENT"].compact.first
|
|
124
|
+
self.comment = result["COMMENT"].compact.first.chomp
|
|
125
125
|
end
|
|
126
126
|
raise InvalidEventFilterObject unless self.valid?
|
|
127
127
|
rescue
|
|
@@ -159,7 +159,7 @@ module Threshold
|
|
|
159
159
|
self.apply_to = result["IPCIDR"].compact.first
|
|
160
160
|
end
|
|
161
161
|
if result.key?("COMMENT")
|
|
162
|
-
self.comment = result["COMMENT"].compact.first
|
|
162
|
+
self.comment = result["COMMENT"].compact.first.chomp
|
|
163
163
|
end
|
|
164
164
|
raise InvalidRateFilterObject unless self.valid?
|
|
165
165
|
rescue
|
|
@@ -99,7 +99,7 @@ module Threshold
|
|
|
99
99
|
self.ip = result["IP"].compact.first
|
|
100
100
|
end
|
|
101
101
|
if result.key?("COMMENT")
|
|
102
|
-
self.comment = result["COMMENT"].compact.first
|
|
102
|
+
self.comment = result["COMMENT"].compact.first.chomp
|
|
103
103
|
end
|
|
104
104
|
raise InvalidSuppressionObject unless self.valid?
|
|
105
105
|
rescue
|
data/lib/threshold/thresholds.rb
CHANGED
|
@@ -6,10 +6,18 @@ module Threshold
|
|
|
6
6
|
class MissingThresholdFileConfiguration < StandardError; end
|
|
7
7
|
class ThresholdAtomicLockFailure < StandardError; end
|
|
8
8
|
|
|
9
|
-
class Thresholds
|
|
9
|
+
class Thresholds
|
|
10
|
+
|
|
11
|
+
extend Forwardable
|
|
10
12
|
|
|
11
13
|
attr_accessor :file, :readonly
|
|
12
14
|
|
|
15
|
+
def_delegators :@thresholds, :<<, :length, :push, :pop, :first, :last, :<=>, :==, :clear, :[], :[]=, :shift, :unshift, :each, :sort!, :shuffle!, :collect!, :map!, :reject!, :delete_if, :select!, :keep_if, :index, :include?
|
|
16
|
+
|
|
17
|
+
def initialize(thresholds = [])
|
|
18
|
+
@thresholds = thresholds
|
|
19
|
+
end
|
|
20
|
+
|
|
13
21
|
# Write changes to the file
|
|
14
22
|
def flush
|
|
15
23
|
begin
|
|
@@ -34,7 +42,7 @@ module Threshold
|
|
|
34
42
|
|
|
35
43
|
# Clears current collection and Read in the thresholds.conf file
|
|
36
44
|
def loadfile!
|
|
37
|
-
|
|
45
|
+
@thresholds.clear
|
|
38
46
|
loadfile
|
|
39
47
|
end
|
|
40
48
|
|
|
@@ -66,21 +74,7 @@ module Threshold
|
|
|
66
74
|
return false
|
|
67
75
|
end
|
|
68
76
|
end
|
|
69
|
-
|
|
70
|
-
# This should transpose? back to a Thresholds class not return as an Array. (super)
|
|
71
|
-
def sort
|
|
72
|
-
raise InvalidThresholdsObject unless valid?
|
|
73
|
-
new_temp = super
|
|
74
|
-
temp = Thresholds.new
|
|
75
|
-
new_temp.each {|item| temp << item}
|
|
76
|
-
return temp
|
|
77
|
-
end
|
|
78
|
-
|
|
79
|
-
def sort!
|
|
80
|
-
raise InvalidThresholdsObject unless valid?
|
|
81
|
-
super
|
|
82
|
-
end
|
|
83
|
-
|
|
77
|
+
|
|
84
78
|
def to_s
|
|
85
79
|
output = ""
|
|
86
80
|
|
|
@@ -95,6 +89,54 @@ module Threshold
|
|
|
95
89
|
def stored_hash
|
|
96
90
|
@stored_hash
|
|
97
91
|
end
|
|
92
|
+
|
|
93
|
+
## Forwardable Corrections:
|
|
94
|
+
## Corrected for forwardable due to Core Array returning new Arrays on the methods.
|
|
95
|
+
|
|
96
|
+
# Array(@thresholds) Creates a new Array on @threshold.sort so.. direct forwardable delegation fails.
|
|
97
|
+
|
|
98
|
+
def sort
|
|
99
|
+
Thresholds.new(@thresholds.sort)
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
def reverse
|
|
103
|
+
Thresholds.new(@thresholds.reverse)
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
def shuffle
|
|
107
|
+
Thresholds.new(@thresholds.shuffle)
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
def reject(&blk)
|
|
111
|
+
if block_given?
|
|
112
|
+
Thresholds.new(@thresholds.reject(&blk))
|
|
113
|
+
else
|
|
114
|
+
Thresholds.new(@thresholds.reject)
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
def select(&blk)
|
|
119
|
+
if block_given?
|
|
120
|
+
Thresholds.new(@thresholds.select(&blk))
|
|
121
|
+
else
|
|
122
|
+
Thresholds.new(@thresholds.select)
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
|
|
126
|
+
#Uniques by default to printable output
|
|
127
|
+
def uniq(&blk)
|
|
128
|
+
if block_given?
|
|
129
|
+
Thresholds.new(@thresholds.uniq(&blk))
|
|
130
|
+
else
|
|
131
|
+
Thresholds.new(@thresholds.uniq{ |lineitem| lineitem.to_s })
|
|
132
|
+
end
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
## Complex Methods
|
|
136
|
+
## &(union), | (intersect), + (concat)
|
|
137
|
+
|
|
138
|
+
## Should rework to perform to_s before comparison..
|
|
139
|
+
## include?, index
|
|
98
140
|
|
|
99
141
|
private
|
|
100
142
|
|
data/lib/threshold/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: threshold
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Shadowbq
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-01-
|
|
12
|
+
date: 2015-01-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: veto
|