threshold 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33c2806304e5938f76507449b1594424ba47403e
-  data.tar.gz: 99a23f1a99c452b1149375098162e6bd8cd9a32e
+  metadata.gz: 36f6c07c57491e1ea5e2df998588ceb2ad8227aa
+  data.tar.gz: 7bfb96142322407d7a13160e5a547bbee1c16b83
 SHA512:
-  metadata.gz: 6e121ca66252cdce457ef1dc97ba83caca4e2d293a0e21a5883a811d92a639c2dc0cde5363866a8a9e12391968e87ee5455f044366e7cb9a1007ac7e9f1dd87a
-  data.tar.gz: 3579311658b35e1a86440239a5d3f364fa52d382382c7f7d02c5b15ed85035d23b72bfcc89be1a15133441082c8ac34ceb1a4ff7cc7ae8c21244518e9d62bd77
+  metadata.gz: 77ffe5e644c70d8eaef165e2ed17e65f240a64140b541dc74bbef0395c62a4bff29136ed704732e1c626b843fa37aac5bdd98df9033e4f8d44ed0799b3f70b60
+  data.tar.gz: 36762c4b6b745632bcccb94bc2fcb97763a53dc43feff54fe54ae42178c8887d0cf36a49da405a4620db6c93dc3e96d2f7cc0d073696febadb2bb5c7162ad285

data/README.md

@@ -1,4 +1,6 @@
 # snort-thresholds
+
+[![Join the chat at https://gitter.im/shadowbq/snort-thresholds](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/shadowbq/snort-thresholds?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 [![Gem Version](https://badge.fury.io/rb/threshold.png)](http://badge.fury.io/rb/threshold)
 [![Gem](https://img.shields.io/gem/dt/threshold.svg)](http://badge.fury.io/rb/threshold)
 

data/lib/threshold/builder.rb

@@ -1,22 +1,20 @@
 module Threshold
-  
   #Returns an Array of Grok Captures from the input file matching Threshold Conf standards
   class Builder
-  	def initialize(parsed_data)
+    def initialize(parsed_data)
       @parsed_data = parsed_data
       @parsed_data.reject! {|k,v| v.compact.first == nil }
     end
 
     def build
       #Strip out NIL Stuctures
-  		if @parsed_data.key?("SUPPRESSION")
-  			return Threshold::Suppression.new(@parsed_data)
-  		elsif @parsed_data.key?("RATEFILTER")
-  			return Threshold::RateFilter.new(@parsed_data)
-  		else @parsed_data.key?("EVENTFILTER")
-  			return Threshold::EventFilter.new(@parsed_data)
-  		end
-  	end
+      if @parsed_data.key?("SUPPRESSION")
+        return Threshold::Suppression.new(@parsed_data)
+      elsif @parsed_data.key?("RATEFILTER")
+        return Threshold::RateFilter.new(@parsed_data)
+      else @parsed_data.key?("EVENTFILTER")
+        return Threshold::EventFilter.new(@parsed_data)
+      end
+    end
   end
-
-end
+end

data/lib/threshold/event_filter.rb

@@ -48,25 +48,25 @@ module Threshold
 
   # Create an Event Filter validator
   class EventFilterValidator
-      include Veto.validator
-
-      validates :gid, :presence => true, :integer => true
-      validates :sid, :presence => true, :integer => true
-      validates :type, :presence => true,  :inclusion => ['limit', 'threshold', 'both']
-      validates :track_by, :presence => true, :inclusion => ['src', 'dst']
-      validates :count, :presence => true, :integer => true
-      validates :seconds, :presence => true, :integer => true
-      validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
-
-      def comment_set?(entity)
-          entity.comment
-      end
+    include Veto.validator
+
+    validates :gid, :presence => true, :integer => true
+    validates :sid, :presence => true, :integer => true
+    validates :type, :presence => true,  :inclusion => ['limit', 'threshold', 'both']
+    validates :track_by, :presence => true, :inclusion => ['src', 'dst']
+    validates :count, :presence => true, :integer => true
+    validates :seconds, :presence => true, :integer => true
+    validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
+
+    def comment_set?(entity)
+      entity.comment
+    end
 
   end
 
-  class EventFilter 
+  class EventFilter
 
-  	attr_accessor :gid, :sid, :type, :track_by, :count, :seconds, :comment
+    attr_accessor :gid, :sid, :type, :track_by, :count, :seconds, :comment
 
     include Veto.model(EventFilterValidator.new)
     include Comparable
@@ -76,17 +76,17 @@ module Threshold
       transform(line) unless line.empty?
     end
 
-  	def to_s(skip = false)
-      if self.valid? 
+    def to_s(skip = false)
+      if self.valid?
         if comment?(skip)
-      		"event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds} #{@comment}"
+          "event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds} #{@comment}"
         else
-          "event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}" 
+          "event_filter gen_id #{@gid}, sig_id #{@sid}, type #{@type}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}"
         end
       else
         raise InvalidEventFilterObject, 'Event Filter did not validate'
       end
-  	end
+    end
 
     def state
       [@gid, @sid, @type, @track_by, @count, @seconds]
@@ -103,7 +103,7 @@ module Threshold
         self.count = result["COUNT"].compact.first.to_i
         self.seconds = result["SECONDS"].compact.first.to_i
         if result.key?("COMMENT")
-          self.comment = result["COMMENT"].compact.first.chomp
+          self.comment = result["COMMENT"].compact.first.strip
         end
         raise InvalidEventFilterObject unless self.valid?
       rescue
@@ -113,4 +113,4 @@ module Threshold
 
   end
 
-end
+end

data/lib/threshold/parser.rb

@@ -1,6 +1,5 @@
 module Threshold
-  
-  #Returns an Array of Grok Captures from the input file matching Threshold Conf standards
+    #Returns an Array of Grok Captures from the input file matching Threshold Conf standards
   class Parser
 
     attr_reader :caps, :filehash
@@ -17,8 +16,7 @@ module Threshold
 
       patterns["SUPPRESSIONOPTIONS"] = ", track %{TRACK}, ip %{IP}"
       patterns["RATEFILTEROPTIONS"] = ", apply_to %{IPCIDR}"
-      
-      patterns["ID"] = '\\d+'
+            patterns["ID"] = '\\d+'
       patterns["ETYPE"] = "limit|threshold|both"
       patterns["COUNT"] = "\\d+"
       patterns["SECONDS"] = "\\d+"
@@ -34,25 +32,23 @@ module Threshold
 
       # Remember to call result["GID"].compact because of the PIPE or below in grok compile
       @grok.compile("^%{SUPPRESSION}|%{EVENTFILTER}|%{RATEFILTER}")
-      
-      loadfile(@file)
+            loadfile(@file)
     end
 
-    private 
+    private
 
     def loadfile(file)
-        # FLOCK this and hash it.. 
-        handler = File.open(file)
-        handler.flock(File::LOCK_EX)
-        handler.each do |line|
-          match = @grok.match(line)
-          @caps << match.captures if match
-        end
-        hash = Digest::MD5.file file
-        handler.close
-        @filehash = hash
+      # FLOCK this and hash it..
+      handler = File.open(file)
+      handler.flock(File::LOCK_EX)
+      handler.each do |line|
+        match = @grok.match(line)
+        @caps << match.captures if match
+      end
+      hash = Digest::MD5.file file
+      handler.close
+      @filehash = hash
     end
 
   end
 end
-

data/lib/threshold/rate_filter.rb

@@ -2,7 +2,7 @@
 # configure a new action to take for a specified time when a given rate is
 # exceeded.  Multiple rate filters can be defined on the same rule, in which case
 # they are evaluated in the order they appear in the configuration file, and the
-# first applicable action is taken.  
+# first applicable action is taken.
 
 # Rate filters are used as standalone commands (outside any rule) and have the
 # following format:
@@ -47,7 +47,7 @@
 #   destination IP address (indicated by track parameter) determined by
 #   <ip-list>.  track by_rule and apply_to may not be used together.  Note that
 #   events are generated during the timeout period, even if the rate falls below
-#   the configured limit.  
+#   the configured limit.
 
 
 # Example - allow a maximum of 100 connection attempts per second from any one
@@ -69,35 +69,35 @@ module Threshold
 
   # Create a Rate Filter validator
   class RateFilterValidator
-      include Veto.validator
-
-      validates :gid, :presence => true, :integer => true
-      validates :sid, :presence => true, :integer => true
-      validates :track_by, :presence =>true, :inclusion => ['src', 'dst', 'rule']
-      validates :count, :presence => true, :integer => true
-      validates :seconds, :presence => true, :integer => true
-      validates :new_action, :presence => true, :inclusion => ['alert', 'drop', 'pass', 'log', 'sdrop', 'reject']
-      validates :timeout, :presence => true, :integer => true
-      validates :apply_to, :if => :not_track_by_rule?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
-      validates :comment, :if => :comment_set?, :format => /^\s*#.*/
-
-      def comment_set?(entity)
-          entity.comment
-      end
+    include Veto.validator
+
+    validates :gid, :presence => true, :integer => true
+    validates :sid, :presence => true, :integer => true
+    validates :track_by, :presence =>true, :inclusion => ['src', 'dst', 'rule']
+    validates :count, :presence => true, :integer => true
+    validates :seconds, :presence => true, :integer => true
+    validates :new_action, :presence => true, :inclusion => ['alert', 'drop', 'pass', 'log', 'sdrop', 'reject']
+    validates :timeout, :presence => true, :integer => true
+    validates :apply_to, :if => :not_track_by_rule?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
+    validates :comment, :if => :comment_set?, :format => /^\s*#.*/
+
+    def comment_set?(entity)
+      entity.comment
+    end
 
-      def not_track_by_rule?(entity)
-        if entity.apply_to == nil
-          entity.track_by == false
-        else
-          entity.track_by != 'rule'
+    def not_track_by_rule?(entity)
+      if entity.apply_to == nil
+        entity.track_by == false
+      else
+        entity.track_by != 'rule'
       end
     end
 
   end
 
-  class RateFilter 
+  class RateFilter
 
-  	attr_accessor :gid, :sid, :track_by, :count, :seconds, :new_action, :timeout, :apply_to, :comment
+    attr_accessor :gid, :sid, :track_by, :count, :seconds, :new_action, :timeout, :apply_to, :comment
 
     include Veto.model(RateFilterValidator.new)
     include Comparable
@@ -107,27 +107,27 @@ module Threshold
       transform(line) unless line.empty?
     end
 
-  	def to_s(skip = false)
+    def to_s(skip = false)
 
-      if self.valid? 
-         if apply_to == nil then
-           if comment?(skip)
+      if self.valid?
+        if apply_to == nil then
+          if comment?(skip)
             "rate_filter gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} #{@comment}"
-           else
+          else
             "rate_filter gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout}"
-           end  
-         else
-           if comment?(skip)
+          end
+        else
+          if comment?(skip)
             "rate_filter gen_id #{@gid}, sig_id #{@sid}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} apply_to #{@apply_to} #{@comment}"
-           else
+          else
             "rate_filter gen_id #{@gid}, sig_id #{@sid}, count #{@count}, seconds #{@seconds}, new_action #{@new_action}, timeout #{@timeout} apply_to #{@apply_to}"
-           end 
-         end 
+          end
+        end
       else
         raise InvalidRateFilterObject, 'Rate Filter did not validate'
       end
-  	end
-    
+    end
+
     #State does not track comments
     def state
       [@gid, @sid, @track_by, @count, @seconds, @new_action, @timeout, @apply_to]
@@ -136,7 +136,7 @@ module Threshold
     private
 
     def transform(result)
-      begin 
+      begin
         self.gid = result["GID"].compact.first.to_i
         self.sid = result["SID"].compact.first.to_i
         self.track_by = result["TRACK"].compact.first.split('_')[1]
@@ -150,7 +150,7 @@ module Threshold
           self.apply_to = result["IPCIDR"].compact.first
         end
         if result.key?("COMMENT")
-          self.comment = result["COMMENT"].compact.first.chomp
+          self.comment = result["COMMENT"].compact.first.strip
         end
         raise InvalidRateFilterObject unless self.valid?
       rescue
@@ -160,4 +160,4 @@ module Threshold
 
   end
 
-end
+end

data/lib/threshold/standalone.rb

@@ -10,7 +10,7 @@ module Threshold
           return true
         else
           return false
-        end  
+        end
       end
     end
 
@@ -28,30 +28,30 @@ module Threshold
     def include?(an0ther)
       return false unless an0ther.class == self.class
 
-      state.zip(an0ther.state).each{ |item| 
+      state.zip(an0ther.state).each{ |item|
         if !(item[1].nil?)
-          return false unless item[0] == item[1] 
-        end  
+          return false unless item[0] == item[1]
+        end
       }
 
       return true
-    end  
+    end
 
     #Comparable
     def <=>(anOther)
       #gid <=> anOther.gid
       c = self.class.to_s <=> anOther.class.to_s
-      if c == 0 then 
+      if c == 0 then
         d = self.gid <=> anOther.gid
         if d == 0 then
           self.sid <=> anOther.sid
         else
           return d
-        end   
+        end
       else
         return c
       end
     end
 
   end
-end
+end

data/lib/threshold/suppression.rb

@@ -1,7 +1,7 @@
 
 # suppress \
 #     gen_id <gid>, sig_id <sid>
-# 
+#
 # suppress \
 #     gen_id <gid>, sig_id <sid>, \
 #     track by_src|by_dst, \
@@ -16,32 +16,32 @@ module Threshold
 
   # Create a Suppression validator
   class SuppressionValidator
-      include Veto.validator
+    include Veto.validator
 
-      validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
+    validates :comment, :if => :comment_set?, :format => /^\s*?#.*/
 
-      validates :gid, :presence => true, :integer => true
-      validates :sid, :presence => true, :integer => true
+    validates :gid, :presence => true, :integer => true
+    validates :sid, :presence => true, :integer => true
 
-      validates :track_by, :presence => true, :if => :ip_set?, :inclusion => ['src', 'dst']
-      validates :ip, :presence => true, :if => :track_by_set?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
+    validates :track_by, :presence => true, :if => :ip_set?, :inclusion => ['src', 'dst']
+    validates :ip, :presence => true, :if => :track_by_set?, :format => /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?$/
 
-      def comment_set?(entity)
-          entity.comment
-      end
+    def comment_set?(entity)
+      entity.comment
+    end
 
-      def track_by_set?(entity)
-          entity.track_by
-      end
+    def track_by_set?(entity)
+      entity.track_by
+    end
 
-      def ip_set?(entity)
-          entity.ip
-      end
+    def ip_set?(entity)
+      entity.ip
+    end
   end
 
-  class Suppression 
+  class Suppression
 
-  	attr_accessor :gid, :sid, :track_by, :ip, :comment
+    attr_accessor :gid, :sid, :track_by, :ip, :comment
 
     include Veto.model(SuppressionValidator.new)
     include Comparable
@@ -51,25 +51,25 @@ module Threshold
       transform(line) unless line.empty?
     end
 
-  	def to_s(skip = false)
+    def to_s(skip = false)
       if self.valid?
-    		if track_by == nil then
+        if track_by == nil then
           if comment?(skip)
-    		    "suppress gen_id #{@gid}, sig_id #{@sid} #{@comment}"
+            "suppress gen_id #{@gid}, sig_id #{@sid}#{@comment}"
           else
             "suppress gen_id #{@gid}, sig_id #{@sid}"
-          end  
-    		else
-    		  if comment?(skip)
+          end
+        else
+          if comment?(skip)
             "suppress gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, ip #{@ip} #{@comment}"
           else
             "suppress gen_id #{@gid}, sig_id #{@sid}, track by_#{@track_by}, ip #{@ip}"
-          end  
-    		end
+          end
+        end
       else
         raise InvalidSuppressionObject, 'Suppression did not validate'
       end
-  	end
+    end
 
     #State does not track comments
     def state
@@ -79,7 +79,7 @@ module Threshold
     private
 
     def transform(result)
-      begin 
+      begin
         self.gid = result["GID"].compact.first.to_i
         self.sid = result["SID"].compact.first.to_i
         if result.key?("TRACK")
@@ -89,7 +89,7 @@ module Threshold
           self.ip = result["IP"].compact.first
         end
         if result.key?("COMMENT")
-          self.comment = result["COMMENT"].compact.first.chomp
+          self.comment = result["COMMENT"].compact.first.strip
         end
         raise InvalidSuppressionObject unless self.valid?
       rescue
@@ -101,4 +101,4 @@ module Threshold
 
   end
 
-end
+end

data/lib/threshold/thresholds.rb

@@ -20,8 +20,7 @@ module Threshold
 
     # Write changes to the file
     def flush
-      
-      begin 
+      begin
         valid_existing_file?(@file)
         raise ReadOnlyThresholdsFile if @readonly
         hash = current_hash
@@ -38,10 +37,10 @@ module Threshold
       end
 
       stored_hash=current_hash
-      return true 
+      return true
     end
 
-    # Clears current collection and Read in the thresholds.conf file 
+    # Clears current collection and Read in the thresholds.conf file
     def loadfile!
       @thresholds.clear
       loadfile
@@ -55,16 +54,16 @@ module Threshold
       @stored_hash= results.filehash
       #puts stored_hash
       results.caps.each do |result|
-         builder = Threshold::Builder.new(result)
-         self << builder.build
+        builder = Threshold::Builder.new(result)
+        self << builder.build
       end
 
     end
 
     # Check if all objects in the Threshold Instance report .valid?
     def valid?
-      begin 
-        self.each do |threshold| 
+      begin
+        self.each do |threshold|
           if threshold.respond_to?(:valid?)
             return false unless threshold.valid?
           else
@@ -76,8 +75,7 @@ module Threshold
         return false
       end
     end
-    
-    # Printer
+        # Printer
     # Pass (true) to_s to skip the printing of InternalObjects.comment
     def to_s(skip = false)
       output = ""
@@ -94,8 +92,7 @@ module Threshold
     def stored_hash
       @stored_hash
     end
-    
-    def to_a
+        def to_a
       @thresholds
     end
 
@@ -103,8 +100,7 @@ module Threshold
     ## Corrected for forwardable due to Core Array returning new Arrays on the methods.
 
     # Array(@thresholds) Creates a new Array on @threshold.sort so.. direct forwardable delegation fails.
-    
-    # Returns a new Threshold Object
+        # Returns a new Threshold Object
     def sort
       Thresholds.new(@thresholds.sort)
     end
@@ -121,34 +117,34 @@ module Threshold
 
     # Returns a new Threshold Object
     def reject(&blk)
-      if block_given? 
+      if block_given?
         Thresholds.new(@thresholds.reject(&blk))
       else
         Thresholds.new(@thresholds.reject)
-      end   
+      end
     end
 
     # Returns a new Threshold Object
     def select(&blk)
-      if block_given? 
+      if block_given?
         Thresholds.new(@thresholds.select(&blk))
       else
         Thresholds.new(@thresholds.select)
-      end   
+      end
     end
 
     #Uniques by default to printable output
     # Returns a new Threshold Object
     def uniq(&blk)
-      if block_given? 
+      if block_given?
         Thresholds.new(@thresholds.uniq(&blk))
       else
         Thresholds.new(@thresholds.uniq{ |lineitem| lineitem.to_s(true) })
-      end   
-    end  
+      end
+    end
 
     ## Complex SET Methods
-    ## &(union), | (intersect), + (concat), - (Difference) 
+    ## &(union), | (intersect), + (concat), - (Difference)
 
     # + (concat)
     # Returns a new Threshold Object
@@ -161,14 +157,13 @@ module Threshold
     def |(an0ther)
       Thresholds.new(@thresholds | an0ther.to_a)
     end
-    
-    # & (union)
+        # & (union)
     # Returns a new Threshold Object
     def &(an0ther)
       Thresholds.new(@thresholds & an0ther.to_a)
     end
 
-    # - (Difference) 
+    # - (Difference)
     # Returns a new Threshold Object
     def -(an0ther)
       Thresholds.new(@thresholds - an0ther.to_a)
@@ -176,16 +171,16 @@ module Threshold
 
     # Returns a new Threshold Object with just suppressions
     def suppressions(&blk)
-      if block_given? 
+      if block_given?
         self.suppressions.select(&blk)
       else
-       Thresholds.new(@thresholds.select{|t| t.class.to_s == "Threshold::Suppression"})
+        Thresholds.new(@thresholds.select{|t| t.class.to_s == "Threshold::Suppression"})
       end
     end
 
     # Returns a new Threshold Object with just event_filters
     def event_filters(&blk)
-      if block_given? 
+      if block_given?
         self.event_filters.select(&blk)
       else
         Thresholds.new(@thresholds.select{|t| t.class.to_s == "Threshold::EventFilter"})
@@ -194,7 +189,7 @@ module Threshold
 
     # Returns a new Threshold Object with just rate_filters
     def rate_filters(&blk)
-      if block_given? 
+      if block_given?
         self.rate_filters.select(&blk)
       else
         Thresholds.new(@thresholds.select{|t| t.class.to_s == "Threshold::RateFilter"})
@@ -209,7 +204,7 @@ module Threshold
     end
 
     def current_hash
-      file = File.open(@file, 'rb+') 
+      file = File.open(@file, 'rb+')
       file.flock(File::LOCK_EX)
       hash = Digest::MD5.file @file
       file.close
@@ -227,4 +222,4 @@ module Threshold
 
 
   end
-end
+end

data/lib/threshold/version.rb

@@ -1,4 +1,4 @@
-  module Threshold
-    VERSION = '0.2.2'
-    SNORT_VERSION='~>2.9.3'
-  end
+module Threshold
+  VERSION = '0.2.3'
+  SNORT_VERSION='~>2.9.3'
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: threshold
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Shadowbq
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-24 00:00:00.000000000 Z
+date: 2015-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: veto