threshold 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 80c9df2ec5e67d9e05e5424a136adf096550cfb2
+  data.tar.gz: c3e99e5725ba57c4f55c254348fc7a2168655018
+SHA512:
+  metadata.gz: 6c8a93ec39c051fefa5f0b72a5f058ba9387f8fdfb11218c91315af3086ac8673229b08f0356b99870b98260e8918ff09ee9b15f5d5fae57eee4984694c57e6b
+  data.tar.gz: da6daf4ccea9b2581a9b9f3e6f043b4b29eec4d215db777e391e288181344383904116b5a0bc01289206dd383ccddce0e7bb516b621f6d40228a5b6ad7c18ad0

data/CHANGELOG.md

@@ -0,0 +1 @@
+*Next Release*

data/CONTRIBUTING.md

@@ -0,0 +1,119 @@
+Contributing to Snort-thresholds
+============================
+
+You're encouraged to submit [pull requests](https://github.com/shadowbq/snort-thresholds/pulls), [propose features and discuss issues](https://github.com/shadowbq/snort-thresholds/issues).
+
+#### Fork the Project
+
+Fork the [project on Github](https://github.com/shadowbq/snort-thresholds) and check out your copy.
+
+```
+git clone https://github.com/contributor/snort-thresholds.git
+cd snort-thresholds
+git remote add upstream https://github.com/shadowbq/snort-thresholds.git
+```
+
+#### Create a Topic Branch
+
+All active development is based off of our 'master' branch. So, make sure your references are up to date, and create your topic branch off of upstream/master.
+
+```
+git fetch upstream
+git checkout -b my-feature-branch upstream/master
+```
+
+#### Write Tests
+
+If the area of code that you're working on supports unit tests, add tests. 
+Also, be sure to run all tests to make sure you didn't break anything.
+
+#### Write Code
+
+Implement your feature or bug fix.
+
+#### Write Documentation
+
+Document any external behavior in the [README](README.md).
+
+#### Update Changelog
+
+Add a line to [CHANGELOG](CHANGELOG.md) under *Next Release*. Make it look like every other line, including your name and link to your Github account.
+
+#### Commit Changes
+
+Make sure git knows your name and email address:
+
+```
+git config --global user.name "Your Name"
+git config --global user.email "contributor@example.com"
+```
+
+Make commits of logical units. This might mean making multiple commits if you're changing distinct bits of functionality. 
+```
+git add ...
+git commit
+```
+
+It's very important that you write a good commit log! It should describe what changed and why. If you're fixing an issue that is already tracked within Github, mention it!
+
+````
+    Make a commit title that is brief and to the point
+
+    - Describe the change you made, and why you made it.
+    - Context is vital to a good commit message. Try to get future developers
+      up to speed with what your change does so that they don't bother you
+      offline. 
+    - Mention any relevant Snort-thresholds issues by mentioning the number like this #55 
+    - Github will automatically close any issues when your pull request is
+      accepted if you do something like this: closes #123
+
+````
+
+#### Rebase
+
+It's easy to for your feature branch to fall behind any changes that have been made in the main repository. This is to be expected on actively developed projects.
+In order to make sure that your changes will still work when merged into the main repo, it's a good idea to rebase your feature branch. This basically peels the commits off of your feature branch, pulls in any updates that have been made to upstream/master, and then re-applies your commits. If all goes well, your commits will apply cleanly. If, however, someone else has made changes to the same code as you, git will report the conflicts and give you a chance to fix anything. 
+
+Basically, this will help ensure that your code will merge properly with any changes that may have been made in the main repository. If there are any conflicts, it will be easier to deal with those now, rather than finding out that your pull request can't merge.
+
+```
+git fetch upstream
+git rebase upstream/master
+```
+
+#### Push
+
+```
+git push origin my-feature-branch
+```
+
+#### Make a Pull Request
+
+Go to https://github.com/contributor/snort-thresholds and select your feature branch. Click the 'Pull Request' button and fill out the form. Pull requests are usually reviewed within a few days.
+
+#### Update CHANGELOG Again
+
+Update the [CHANGELOG](CHANGELOG.md) with the pull request number. A typical entry looks as follows.
+
+```
+* [#123](https://github.com/shadowbq/snort-thresholds/pull/123): Reticulated splines - [@contributor](https://github.com/contributor).
+```
+
+Amend your previous commit and force push the changes.
+
+```
+git commit --amend
+git push origin my-feature-branch -f
+```
+
+#### Check on Your Pull Request
+
+Go back to your pull request after a few minutes and see whether it passed muster with Travis-CI. Everything should look green, otherwise fix issues and amend your commit as described above.
+
+#### Be Patient
+
+It's likely that your change will not be merged and that the nitpicky maintainers will ask you to do more, or fix seemingly benign problems. Hang on there!
+
+#### Thank You
+
+Please do know that we really appreciate and value your time and work. We love you, really.

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 shadowbq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,7 @@
+# snort-thresholds
+
+[![Build Status](https://travis-ci.org/shadowbq/snort-thresholds.svg?branch=master)](https://travis-ci.org/shadowbq/snort-thresholds) [![Code Climate](https://codeclimate.com/github/shadowbq/snort-thresholds/badges/gpa.svg)](https://codeclimate.com/github/shadowbq/snort-thresholds) [![Test Coverage](https://codeclimate.com/github/shadowbq/snort-thresholds/badges/coverage.svg)](https://codeclimate.com/github/shadowbq/snort-thresholds)
+
+Work in progress 
+
+https://github.com/jasonish/snort/blob/master/doc/README.filters

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler"
+require "rake"
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task :default => :spec
+
+desc "Run all specs"
+RSpec::Core::RakeTask.new(:spec) do |task|
+  task.pattern = "tests/**/*_spec.rb"
+end

data/lib/threshold/builder.rb

@@ -0,0 +1,22 @@
+module Threshold
+  
+  #Returns an Array of Grok Captures from the input file matching Threshold Conf standards
+  class Builder
+  	def initialize(parsed_data)
+      @parsed_data = parsed_data
+      @parsed_data.reject! {|k,v| v.compact.first == nil }
+    end
+
+    def build
+      #Strip out NIL Stuctures
+  		if @parsed_data.key?("SUPPRESSION")
+  			return Threshold::Suppression.new(@parsed_data)
+  		elsif @parsed_data.key?("RATEFILTER")
+  			return Threshold::RateFilter.new(@parsed_data)
+  		else @parsed_data.key?("EVENTFILTER")
+  			return Threshold::EventFilter.new(@parsed_data)
+  		end
+  	end
+  end
+
+end

data/lib/threshold/event_filter.rb

@@ -0,0 +1,134 @@
+
+# In Snort 2.8.5, a new command event_filter was added with the following format.
+# It functions the same as the global threshold command does in Snort 2.8.4 and
+# earlier, except that it is not permitted within a rule.
+
+# event_filter \
+#     gen_id <gid>, sig_id <sid>, \
+#     type <limit|threshold|both>, \
+#     track <by_src|by_dst>, \
+#     count <c>, seconds <s>
+
+# This format supports the following options - all are required:
+
+# * gen_id, sig_id:  specify generator and signature ids of an associated rule.  A
+#   sig_id of 0 will apply to all sig_ids for the given gen_id.  If both gen_id
+#   and sig_id are zero, the event_filter applies to all events.  Only one
+#   event_filter may be defined for a given gen_id, sig_id.
+
+# * type <limit|threshold|both>:  type limit alerts on the 1st m events during the
+#   time interval, then ignores events for the rest of the time interval.  Type
+#   threshold alerts every m times we see this event during the time interval.
+#   Type both alerts once per time interval after seeing m occurrences of the
+#   event, then ignores any additional events during the time interval.
+
+# * track by_src|by_dst:  rate is tracked either by source IP address, or
+#   destination IP address.  This means count is maintained at either by unique
+#   source IP addresses, or unique destination IP addresses.
+
+# * count c:  number of rule matching in s seconds that will cause event filter
+#   limit to exceed.  C must be nonzero value.  A count of -1 disables the
+#   event filter and can be used to override the global event_filter.
+
+# * seconds s:  time period over which count is accrued.  S must be nonzero value.=end
+
+# Example - rule event_filter - limit to logging 1 event per 60 seconds:
+
+# event_filter \
+#     gen_id 1, sig_id 1851, \
+#     type limit, track by_src, \
+#     count 1, seconds 60
+
+
+# Create a Standard Error Wrapper
+
+module Threshold
+
+  class InvalidEventFilterObject < StandardError; end
+
+  # Create an Event Filter validator
+  class EventFilterValidator
+      include Veto.validator
+
+      validates :gid, :presence => true, :integer => true
+      validates :sid, :presence => true, :integer => true
+      validates :type, :presence => true,  :inclusion => ['limit', 'threshold', 'both']
+      validates :track_by, :presence => true, :inclusion => ['src', 'dst']
+      validates :count, :presence => true, :integer => true
+      validates :seconds, :presence => true, :integer => true
+      validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
+
+      def comment_set?(entity)
+          entity.comment
+      end
+
+      def track_by_set?(entity)
+          entity.track_by
+      end
+
+      def type_set?(type)
+          entity.type
+      end
+  end
+
+  class EventFilter 
+
+  	attr_accessor :gid, :sid, :type, :track_by, :count, :seconds, :comment
+
+    include Veto.model(EventFilterValidator.new)
+    include Comparable
+
+    def initialize(line="")
+      transform(line) unless line.empty?
+    end
+
+  	def to_s
+      if self.valid? 
+        if defined?(@comment) 
+      		"event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds} #{@comment}"
+        else
+          "event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}" 
+        end
+      else
+        raise InvalidEventFilterObject, 'Event Filter did not validate'
+      end
+  	end
+
+    #Comparable
+    def <=>(anOther)
+      #gid <=> anOther.gid
+      c = self.class.to_s <=> anOther.class.to_s
+      if c == 0 then 
+        d = self.gid <=> anOther.gid
+        if d == 0 then
+          self.sid <=> anOther.sid
+        else
+          return d
+        end   
+      else
+        return c
+      end
+    end
+
+    private
+
+    def transform(result)
+      begin
+        self.gid = result["GID"].compact.first.to_i
+        self.sid = result["SID"].compact.first.to_i
+        self.type = result["ETYPE"].compact.first
+        self.track_by = result["TRACK"].compact.first.split('_')[1]
+        self.count = result["COUNT"].compact.first.to_i
+        self.seconds = result["SECONDS"].compact.first.to_i
+        if result.key?("COMMENT")
+          self.comment = result["COMMENT"].compact.first
+        end
+        raise InvalidEventFilterObject unless self.valid?
+      rescue
+        raise InvalidEventFilterObject, 'Failed transformation from parser'
+      end
+    end
+
+  end
+
+end

data/lib/threshold/parser.rb

@@ -0,0 +1,58 @@
+module Threshold
+  
+  #Returns an Array of Grok Captures from the input file matching Threshold Conf standards
+  class Parser
+
+    attr_reader :caps, :filehash
+
+    def initialize(file)
+
+      @file = file
+      @caps = []
+
+      patterns = {}
+      patterns["SUPPRESSION"] = "^suppress gen_id %{ID:GID}, sig_id %{ID:SID}(%{SUPPRESSIONOPTIONS})?(%{COMMENT})?"
+      patterns["EVENTFILTER"] = "^event_filter gen_id %{ID:GID}, sig_id %{ID:SID}, type %{ETYPE}, track %{TRACK}, count %{COUNT}, seconds %{SECONDS}(%{COMMENT})?"
+      patterns["RATEFILTER"] = "^rate_filter gen_id %{ID:GID}, sig_id %{ID:SID}, track %{TRACK}, count %{COUNT}, seconds %{SECONDS}, new_action %{NEW_ACTION}, timeout %{COUNT:TIMEOUT}(%{RATEFILTEROPTIONS})?(%{COMMENT})?"
+
+      patterns["SUPPRESSIONOPTIONS"] = ", track %{TRACK}, ip %{IP}"
+      patterns["RATEFILTEROPTIONS"] = ", apply_to %{IPCIDR}"
+      
+      patterns["ID"] = '\\d+'
+      patterns["ETYPE"] = "limit|threshold|both"
+      patterns["COUNT"] = "\\d+"
+      patterns["SECONDS"] = "\\d+"
+      patterns["TRACK"] = "by_src|by_dst|by_rule"
+      patterns["COMMENT"] = "\s*?#.*"
+      patterns["NEW_ACTION"] = 'alert|drop|pass|log|sdrop|reject'
+      patterns["IPCIDR"] = '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?'
+
+      @grok = Grok.new
+      patterns.each {|k,v| @grok.add_pattern(k,v)}
+      custom_path = File.join(File.dirname(File.expand_path(__FILE__)), "patterns/base")
+      @grok.add_patterns_from_file(custom_path)
+
+      # Remember to call result["GID"].compact because of the PIPE or below in grok compile
+      @grok.compile("^%{SUPPRESSION}|%{EVENTFILTER}|%{RATEFILTER}")
+      
+      loadfile(@file)
+    end
+
+    private 
+
+    def loadfile(file)
+        # FLOCK this and hash it.. 
+        handler = File.open(file)
+        handler.flock(File::LOCK_EX)
+        handler.each do |line|
+          match = @grok.match(line)
+          @caps << match.captures if match
+        end
+        hash = Digest::MD5.file file
+        handler.close
+        @filehash = hash
+    end
+
+  end
+end
+

data/lib/threshold/patterns/base

@@ -0,0 +1,91 @@
+USERNAME [a-zA-Z0-9_-]+
+USER %{USERNAME}
+INT (?:[+-]?(?:[0-9]+))
+BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
+NUMBER (?:%{BASE10NUM})
+BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))
+BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b
+
+POSINT \b(?:[0-9]+)\b
+WORD \b\w+\b
+NOTSPACE \S+
+DATA .*?
+GREEDYDATA .*
+#QUOTEDSTRING (?:(?<!\\)(?:"(?:\\.|[^\\"])*"|(?:'(?:\\.|[^\\'])*')|(?:`(?:\\.|[^\\`])*`)))
+QUOTEDSTRING (?:(?<!\\)(?:"(?>[^\\"]+|\\.)*")|(?:'(?>[^\\']+|\\.)*')|(?:`(?>[^\\`]+|\\.)*`))
+
+# Networking
+MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
+CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
+WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
+COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})
+IP (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])
+HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)
+HOST %{HOSTNAME}
+IPORHOST (?:%{HOSTNAME}|%{IP})
+HOSTPORT (?:%{IPORHOST=~/\./}:%{POSINT})
+
+# paths
+PATH (?:%{UNIXPATH}|%{WINPATH})
+UNIXPATH (?:/(?:[\w_%!$@:.,-]+|\\.)*)+
+#UNIXPATH (?<![\w\/])(?:/[^\/\s?*]*)+
+LINUXTTY (?:/dev/pts/%{POSINT})
+BSDTTY (?:/dev/tty[pq][a-z0-9])
+TTY (?:%{BSDTTY}|%{LINUXTTY})
+WINPATH (?:[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
+URIPROTO [A-Za-z]+(\+[A-Za-z+]+)?
+URIHOST %{IPORHOST}(?::%{POSINT:port})?
+# uripath comes loosely from RFC1738, but mostly from what Firefox
+# doesn't turn into %XX
+URIPATH (?:/[A-Za-z0-9$.+!*'(),~:#%_-]*)+
+#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)?
+URIPARAM \?[A-Za-z0-9$.+!*'(),~#%&/=:;_-]*
+URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
+URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
+
+# Months: January, Feb, 3, 03, 12, December
+MONTH \b(?:[Jj]an(?:uary)?|[Ff]eb(?:ruary)?|[Mm]ar(?:ch)?|[Aa]pr(?:il)?|[Mm]ay|[Jj]un(?:e)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo]ct(?:ober)?|[Nn]ov(?:ember)?|[Dd]ec(?:ember)?)\b
+MONTHNUM (?:0?[1-9]|1[0-2])
+MONTHDAY (?:3[01]|[1-2]?[0-9]|0?[1-9])
+
+# Days: Monday, Tue, Thu, etc...
+DAY (?:[Mm]on(?:day)?|[Tt]ue(?:sday)?|[Ww]ed(?:nesday)?|[Tt]hu(?:rsday)?|[Ff]ri(?:day)?|[Ss]at(?:urday)?|[Ss]un(?:day)?)
+
+# Years?
+YEAR [0-9]+
+# Time: HH:MM:SS
+#TIME \d{2}:\d{2}(?::\d{2}(?:\.\d+)?)?
+# I'm still on the fence about using grok to perform the time match,
+# since it's probably slower.
+# TIME %{POSINT<24}:%{POSINT<60}(?::%{POSINT<60}(?:\.%{POSINT})?)?
+HOUR (?:2[0123]|[01][0-9])
+MINUTE (?:[0-5][0-9])
+# '60' is a leap second in most time standards and thus is valid.
+SECOND (?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)
+TIME (?<![0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
+# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it)
+DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
+DATE_EU %{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}
+ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
+ISO8601_SECOND (?:%{SECOND}|60)
+TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
+DATE %{DATE_US}|%{DATE_EU}
+DATESTAMP %{DATE}[- ]%{TIME}
+TZ (?:[PMCE][SD]T)
+DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
+DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
+
+# Syslog Dates: Month Day HH:MM:SS
+SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
+PROG (?:[\w._/-]+)
+SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
+SYSLOGHOST %{IPORHOST}
+SYSLOGFACILITY <%{POSINT:facility}.%{POSINT:priority}>
+HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT:ZONE}
+
+# Shortcuts
+QS %{QUOTEDSTRING}
+
+# Log formats
+SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
+COMBINEDAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" %{QS:agent}

data/lib/threshold/patterns/java

@@ -0,0 +1,3 @@
+JAVACLASS (?:[a-z-]+\.)[A-Za-z0-9]+
+JAVAFILE (?:[A-Za-z0-9_.-]})
+JAVASTACKTRACEPART "at %{JAVACLASS:class}\.%{WORD:method}\(%{JAVAFILE:file}:%{NUMBER:line}\)

data/lib/threshold/patterns/ruby

@@ -0,0 +1,3 @@
+RUBY_LOGLEVEL (?:DEBUG|FATAL|ERROR|WARN|INFO) 
+RUBY_LOGGER [DFEWI], \[%{TIMESTAMP_ISO8601} #{POSINT:pid}\] *%{RUBY_LOGLEVEL} -- : %{DATA:message}
+

data/lib/threshold/rate_filter.rb

@@ -0,0 +1,172 @@
+# rate_filter provides rate based attack prevention by allowing users to
+# configure a new action to take for a specified time when a given rate is
+# exceeded.  Multiple rate filters can be defined on the same rule, in which case
+# they are evaluated in the order they appear in the configuration file, and the
+# first applicable action is taken.  
+
+# Rate filters are used as standalone commands (outside any rule) and have the
+# following format:
+
+# rate_filter \
+#     gen_id <gid>, sig_id <sid>, \
+#     track <by_src|by_dst|by_rule>, \
+#     count <c>, seconds <s>, \
+#     new_action alert|drop|pass|log|sdrop|reject, \
+#     timeout <seconds>, \
+#     apply_to <ip-list>
+
+# This format has the following options - all are required except apply_to, which
+# is optional:
+
+# * Track by_src|by_dst|by_rule:  rate is tracked either by source IP address,
+#   destination IP address, or by rule.  This means the match statistics are
+#   maintained for each unique source IP address, for each unique destination IP
+#   address, or they are aggregated at rule level.  For rules related to Stream5
+#   sessions, source and destination means client and server respectively.  track
+#   by_rule and apply_to may not be used together.
+
+# * Count c:  the maximum number of rule matches in s seconds before the rate
+#   filter limit to is exceeded.  C must be positive.
+
+# * seconds s:  the time period over which count is accrued. 0 seconds means
+#   count is a total count instead of a specific rate.  For example, rate filter
+#   may be used to detect if the number of connections to a specific server
+#   exceed a specific count.  0 seconds only applies to internal rules (gen_id 135)
+#   and other use will produce a fatal error by Snort.
+
+# * new_action <alert|drop|pass|log|sdrop|reject>:  new_action replaces rule
+#   action with alert|drop| pass|log|sdrop for r (timeout) seconds.  Drop, reject
+#   and sdrop can be used only when snort is used in inline mode.  sdrop and
+#   reject are conditionally compiled with #ifdef GIDS.
+
+# * timeout r:  revert to the original rule action after r seconds.  If r is 0,
+#   then rule action is never reverted back.  Event filter may be used to manage
+#   number of alerts after the rule action is enabled by rate filter.
+
+# * apply_to <ip-list>:  restrict the configuration to only to source or
+#   destination IP address (indicated by track parameter) determined by
+#   <ip-list>.  track by_rule and apply_to may not be used together.  Note that
+#   events are generated during the timeout period, even if the rate falls below
+#   the configured limit.  
+
+
+# Example - allow a maximum of 100 connection attempts per second from any one
+# IP address, and block further connection attempts from that IP address for 10
+# seconds:
+
+# rate_filter \
+#     gen_id 135, sig_id 1, \
+#     track by_src, \
+#     count 100, seconds 1, \
+#     new_action drop, timeout 10
+
+
+# Create a Standard Error Wrapper
+
+module Threshold
+
+  class InvalidRateFilterObject < StandardError; end
+
+  # Create a Rate Filter validator
+  class RateFilterValidator
+      include Veto.validator
+
+      validates :gid, :presence => true, :integer => true
+      validates :sid, :presence => true, :integer => true
+      validates :track_by, :presence =>true, :inclusion => ['src', 'dst', 'rule']
+      validates :count, :presence => true, :integer => true
+      validates :seconds, :presence => true, :integer => true
+      validates :new_action, :presence => true, :inclusion => ['alert', 'drop', 'pass', 'log', 'sdrop', 'reject']
+      validates :timeout, :presence => true, :integer => true
+      validates :apply_to, :if => :not_track_by_rule?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
+      validates :comment, :if => :comment_set?, :format => /^\s*#.*/
+
+      def comment_set?(entity)
+          entity.comment
+      end
+
+      def not_track_by_rule?(entity)
+        if entity.apply_to == nil
+          entity.track_by == false
+        else
+          entity.track_by != 'rule'
+      end
+    end
+
+  end
+
+  class RateFilter 
+
+  	attr_accessor :gid, :sid, :track_by, :count, :seconds, :new_action, :timeout, :apply_to, :comment
+
+    include Veto.model(RateFilterValidator.new)
+    include Comparable
+
+    def initialize(line="")
+      transform(line) unless line.empty?
+    end
+
+  	def to_s
+      if self.valid? 
+         if apply_to == nil then
+           if defined?(@comment)
+            "rate_filter gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} #{@comment}"
+           else
+            "rate_filter gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout}"
+           end  
+         else
+           if defined?(@comment)
+            "rate_filter gen_id #{@gid}, sig_id #{@sid}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} apply_to #{@apply_to} #{@comment}"
+           else
+            "rate_filter gen_id #{@gid}, sig_id #{@sid}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} apply_to #{@apply_to}"
+           end 
+         end 
+      else
+        raise InvalidRateFilterObject, 'Rate Filter did not validate'
+      end
+  	end
+
+    #Comparable
+    def <=>(anOther)
+      #gid <=> anOther.gid
+      c = self.class.to_s <=> anOther.class.to_s
+      if c == 0 then 
+        d = self.gid <=> anOther.gid
+        if d == 0 then
+          self.sid <=> anOther.sid
+        else
+          return d
+        end   
+      else
+        return c
+      end
+    end
+    
+    private 
+
+    def transform(result)
+      begin 
+        self.gid = result["GID"].compact.first.to_i
+        self.sid = result["SID"].compact.first.to_i
+        self.track_by = result["TRACK"].compact.first.split('_')[1]
+
+        self.count = result["COUNT"].compact.first.to_i
+        self.seconds = result["SECONDS"].compact.first.to_i
+        self.timeout = result["TIMEOUT"].compact.first.to_i
+        self.new_action = result["NEW_ACTION"].compact.first
+
+        if result.key("IPCIDR")
+          self.apply_to = result["IPCIDR"].compact.first
+        end
+        if result.key?("COMMENT")
+          self.comment = result["COMMENT"].compact.first
+        end
+        raise InvalidRateFilterObject unless self.valid?
+      rescue
+        raise InvalidRateFilterObject, 'Failed transformation from parser'
+      end
+    end
+
+  end
+
+end

data/lib/threshold/suppression.rb

@@ -0,0 +1,114 @@
+
+# suppress \
+#     gen_id <gid>, sig_id <sid>
+# 
+# suppress \
+#     gen_id <gid>, sig_id <sid>, \
+#     track by_src|by_dst, \
+#     ip <ip-list>
+#   Note: ip can be 1.2.3.4 or 1.2.4.5/32
+
+# Create a Standard Error Wrapper
+
+module Threshold
+
+  class InvalidSuppressionObject < StandardError; end
+
+  # Create a Suppression validator
+  class SuppressionValidator
+      include Veto.validator
+
+      validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
+
+      validates :gid, :presence => true, :integer => true
+      validates :sid, :presence => true, :integer => true
+
+      validates :track_by, :presence => true, :if => :ip_set?, :inclusion => ['src', 'dst']
+      validates :ip, :presence => true, :if => :track_by_set?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
+
+      def comment_set?(entity)
+          entity.comment
+      end
+
+      def track_by_set?(entity)
+          entity.track_by
+      end
+
+      def ip_set?(entity)
+          entity.ip
+      end
+  end
+
+  class Suppression 
+
+  	attr_accessor :gid, :sid, :track_by, :ip, :comment
+
+    include Veto.model(SuppressionValidator.new)
+    include Comparable
+
+    def initialize(line="")
+      transform(line) unless line.empty?
+    end
+
+    #Comparable
+    def <=>(anOther)
+      #gid <=> anOther.gid
+      c = self.class.to_s <=> anOther.class.to_s
+      if c == 0 then 
+        d = self.gid <=> anOther.gid
+        if d == 0 then
+          self.sid <=> anOther.sid
+        else
+          return d 
+        end  
+      else
+        return c
+      end
+    end
+
+  	def to_s
+      if self.valid?
+    		if track_by == nil then
+          if defined?(@comment)
+    		    "suppress gen_id #{@gid}, sig_id #{@sid} #{@comment}"
+          else
+            "suppress gen_id #{@gid}, sig_id #{@sid}"
+          end  
+    		else
+    		  if defined?(@comment)
+            "suppress gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, ip #{@ip} #{@comment}"
+          else
+            "suppress gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, ip #{@ip}"
+          end  
+    		end
+      else
+        raise InvalidSuppressionObject, 'Suppression did not validate'
+      end
+  	end
+
+    private
+
+    def transform(result)
+      begin 
+        self.gid = result["GID"].compact.first.to_i
+        self.sid = result["SID"].compact.first.to_i
+        if result.key?("TRACK")
+          self.track_by = result["TRACK"].compact.first.split('_')[1]
+        end
+        if result.key?("IP")
+          self.ip = result["IP"].compact.first
+        end
+        if result.key?("COMMENT")
+          self.comment = result["COMMENT"].compact.first
+        end
+        raise InvalidSuppressionObject unless self.valid?
+      rescue
+        raise InvalidSuppressionObject, 'Failed transformation from parser'
+      end
+    end
+
+
+
+  end
+
+end

data/lib/threshold/thresholds.rb

@@ -0,0 +1,124 @@
+module Threshold
+
+  class InvalidThresholdsObject < StandardError; end
+  class ReadOnlyThresholdFile < StandardError; end
+  class NonExistantThresholdFile < StandardError; end
+  class MissingThresholdFileConfiguration < StandardError; end
+  class ThresholdAtomicLockFailure < StandardError; end
+
+  class Thresholds < Array
+
+    attr_accessor :file, :readonly
+
+    # Write changes to the file
+    def flush
+      begin 
+        valid_existing_file?(@file)
+        raise ReadOnlyThresholdsFile if @readonly
+        hash = current_hash
+        
+        file = File.open(@file, 'w+')
+        raise ThresholdAtomicLockFailure, 'The @file state/hash changed before we could flush the file' unless stored_hash == hash
+        file.write self.sort.to_s
+        file.close
+
+      rescue NonExistantThresholdFile
+        raise ReadOnlyThresholdsFile if @readonly
+
+        file = File.open(@file, 'w')
+        file.write self.sort.to_s
+        file.close
+      end
+      return true 
+    end
+
+    # Clears current collection and Read in the thresholds.conf file 
+    def loadfile!
+      self.clear
+      loadfile
+    end
+
+    # Append in the thresholds.conf file to current collection
+    def loadfile
+      valid_existing_file?(@file)
+
+      results = Threshold::Parser.new(@file)
+      @stored_hash= results.filehash
+      #puts stored_hash
+      results.caps.each do |result|
+         builder = Threshold::Builder.new(result)
+         self << builder.build
+      end
+
+    end
+
+    def valid?
+      begin 
+        self.each do |threshold| 
+          if threshold.respond_to?(:valid?)
+            return false unless threshold.valid?
+          else
+            raise InvalidThresholdsObject, "Container object has unknown objects"
+          end
+        end
+        return true
+      rescue InvalidThresholdsObject
+        return false
+      end
+    end
+
+    # This should transpose? back to a Thresholds class not return as an Array. (super)
+    def sort
+      raise InvalidThresholdsObject unless valid?
+      new_temp = super
+      temp = Thresholds.new
+      new_temp.each {|item| temp << item}
+      return temp
+    end
+
+    def sort!
+      raise InvalidThresholdsObject unless valid?
+      super
+    end
+
+    def to_s
+      output = ""
+
+      raise InvalidThresholdsObject, "Container object has unknown objects" unless valid?
+
+      self.each do |threshold|
+        output << threshold.to_s + "\n"
+      end
+      return output
+    end
+
+    def stored_hash
+      @stored_hash
+    end
+
+    private
+
+    def stored_hash=(foo)
+      @stored_hash=foo
+    end
+
+    def current_hash
+      file = File.open(@file, 'rb+') 
+      file.flock(File::LOCK_EX)
+      hash = Digest::MD5.file @file
+      file.close
+      return hash
+    end
+
+    def valid_existing_file?(file)
+      if file !=nil
+        raise NonExistantThresholdFile, "Missing threshold.conf" unless (File.file?(file) and File.exists?(file))
+      else
+        raise MissingThresholdFileConfiguration, "Missing threshold.conf path. See README for Usage."
+      end
+      return true
+    end
+
+
+  end
+end

data/lib/threshold/version.rb

@@ -0,0 +1,4 @@
+  module Threshold
+    VERSION = '0.0.3'
+    SNORT_VERSION='~>2.9.3'
+  end

data/lib/threshold.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'forwardable' # Needed by veto
+require 'veto'
+require 'grok-pure'
+require 'digest'
+
+module Threshold
+  $:.unshift(File.dirname(__FILE__))
+
+  #require library
+  require 'threshold/suppression'
+  require 'threshold/event_filter'
+  require 'threshold/thresholds'
+  require 'threshold/rate_filter'
+  require 'threshold/builder'
+  require 'threshold/parser'
+
+end

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: threshold
+version: !ruby/object:Gem::Version
+  version: 0.0.3
+platform: ruby
+authors:
+- Shadowbq
+- Yabbo
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: veto
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: jls-grok
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fivemat
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: An ORM to map to Snort 2.9.x threshold.conf files
+email: shadowbq@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTING.md
+- LICENSE
+- README.md
+- Rakefile
+- lib/threshold.rb
+- lib/threshold/builder.rb
+- lib/threshold/event_filter.rb
+- lib/threshold/parser.rb
+- lib/threshold/patterns/base
+- lib/threshold/patterns/java
+- lib/threshold/patterns/ruby
+- lib/threshold/rate_filter.rb
+- lib/threshold/suppression.rb
+- lib/threshold/thresholds.rb
+- lib/threshold/version.rb
+homepage: http://github.com/shadowbq/snort-thresholds
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: An ORM to map to Snort 2.9.x threshold.conf files
+test_files: []