class Snort::Rule
This class stores and generates the features of a snort rule
Constants
- VERSION
Attributes
Public Class Methods
Initializes the Rule
@param [Hash] kwargs The options to initialize the Rule
with @option kwargs [String] :enabled true or false @option kwargs [String] :action The action @option kwargs [String] :proto The protocol @option kwargs [String] :src The source IP @option kwargs [String] :sport The source Port @option kwargs [String] :dir The direction of traffic flow @option kwargs [String] :dst The destination IP @option kwargs [String] :dport The destination Port @option option objects that know how to represent themselves as a string properly
# File lib/snort/rule.rb, line 30
def initialize(kwargs={})
@enabled = true
if kwargs.has_key?(:enabled) and (not kwargs[:enabled] or ['false', 'no', 'off'].index(kwargs[:enabled].to_s.downcase))
@enabled = false
end
@action = kwargs[:action] || 'alert'
@proto = kwargs[:proto] || 'IP'
@src = kwargs[:src] || 'any'
@sport = kwargs[:sport] || 'any'
@dir = kwargs[:dir] || '->'
@dst = kwargs[:dst] || 'any'
@dport = kwargs[:dport] || 'any'
@options = []
@options_hash = {}
if kwargs[:options]
kwargs[:options].each do |opt|
add_option(opt)
end
end
@comments = kwargs[:comments]
end
Parse a snort rule to generate an object
# File lib/snort/rule.rb, line 157 def Rule::parse(string) rule = Snort::Rule.new rulestr = string.strip # If the string begins with /^#+\s*/, then the rule is disabled. # If disabled, let's scrub the disabling substring from the string. if rulestr.index(/^#/) rule.enabled = false rulestr.gsub!(/^#+\s*/,'') end rulepart, optspart = rulestr.split(/\s*\(\s*/,2) rule.action, rule.proto, rule.src, rule.sport, rule.dir, rule.dst, rule.dport = rulepart.split(/\s+/) if not ['<>', '<-', '->'].index(rule.dir) # most likely, I have a parse error, maybe it's just a random comment raise ArgumentError.new("Unable to parse rule, #{rulepart}") end optspart.gsub(/;\s*\).*$/,'').split(/\s*;\s*/).each do |x| if x =~ /(.*?):(.*)/ k, v = x.split(/:/, 2) opt = Snort::RuleOption.new(k, v) rule.options << opt unless rule.options_hash[k] rule.options_hash[k] = [] end rule.options_hash[k] << opt else rule.options.last.arguments << x end end if optspart rule end
Public Instance Methods
# File lib/snort/rule.rb, line 96 def add_option(option) if option.class == Array option = Snort::RuleOption.new(option[0], option[1,100]) end @options << option unless @options_hash[option.keyword] @options_hash[option.keyword] = [] end @options_hash[option.keyword] << option end
# File lib/snort/rule.rb, line 114 def clear_options() @options = [] @options_hash = {} end
# File lib/snort/rule.rb, line 107 def del_option(option) @options.delete(option) if @options_hash[option.keyword] @options_hash[option.keyword].delete(option) end end
# File lib/snort/rule.rb, line 92 def disable @enabled = false end
# File lib/snort/rule.rb, line 88 def enable @enabled = true end
# File lib/snort/rule.rb, line 119 def get_option(option_name) if @options_hash[option_name] if @options_hash[option_name].length == 1 if @options_hash[option_name][0].arguments.length == 1 return @options_hash[option_name][0].arguments[0] end end end nil end
# File lib/snort/rule.rb, line 134 def get_option_first(option_name) if @options_hash[option_name] if @options_hash[option_name].length > 0 if @options_hash[option_name][0].arguments.length > 0 return @options_hash[option_name][0].arguments[0] end end end nil end
# File lib/snort/rule.rb, line 145 def get_option_last(option_name) if @options_hash[option_name] if @options_hash[option_name].length > 0 if @options_hash[option_name].last.arguments.length > 0 return @options_hash[option_name].last.arguments[0] end end end nil end
# File lib/snort/rule.rb, line 130 def get_options(option_name) @options_hash[option_name] end
# File lib/snort/rule.rb, line 70 def to_json(options_only=false) if options_only @options.to_json else { :enabled => @enabled, :action => @action, :proto => @proto, :src => @src, :sport => @sport, :dir => @dir, :dst => @dst, :dport => @dport, :options => @options }.to_json end end
Output the current object into a snort rule
# File lib/snort/rule.rb, line 53 def to_s(options_only=false) rule = "" if @comments rule += @comments end if not @enabled rule += "#" end rule += [@action, @proto, @src, @sport, @dir, @dst, @dport].join(" ") unless options_only if @options.any? rule += " (" unless options_only rule += @options.join(' ') rule += ")" unless options_only end rule end