GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  PARSE::SNORT (3)

.ds Aq ’

NAME

Parse::Snort - Parse and create Snort rules

CONTENTS

VERSION

Version 0.05

SYNOPSIS



    use Parse::Snort;

    my $rule = Parse::Snort->new(
      action => alert,
      proto => tcp,
      src => $HOME_NET, src_port => any,
      direction => ->
      dst =>$EXTERNAL_NET, dst_port => any
    );

    $rule->action("pass");

    $rule->opts(
        [ depth => 50 ],
        [ offset => 0 ],
        [ content => "perl6" ],
        [ "nocase" ]
    );

    my $rule = Parse::Snort->new();
    $rule->parse(pass tcp $HOME_NET any -> $EXTERNAL_NET 6667;);
    $rule->msg("IRC server");
    my $rule_string = $rule->as_string;
);



METHODS

These are the object methods that can be used to read or modify any part of a Snort rule. <B>Please note: None of these methods provide any sort of input validation to make sure that the rule makes sense, or can be parsed at all by Snort.B>
new () Create a new Parse::Snort object, and return it. There are a couple of options when creating the object:
new ( ) Create an unpopulated object, that can be filled in using the individual rule element methods, or can be populated with the parse method.
new ( $rule_string ) Create an object based on a plain text Snort rule, all on one line. This module doesn’t understand the UNIX style line continuations (a backslash at the end of the line) that Snort does.



  $rule_string = alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)



new ( $rule_element_hashref ) Create an object baesd on a prepared hash reference similar to the internal strucutre of the Parse::Snort object.



  $rule_element_hashref = {
    action => alert,
    proto => tcp,
    src => $EXTERNAL_NET, src_port => any,
    direction => ->,
    dst => $HOME_NET, dst_port => any,
    opts => [
        [ msg => "perl 6 download detected\; may the world rejoice!" ],
        [ depth => 150 ],
        [ offset => 0 ].
        [ content => perl-6.0.0 ],
        [ nocase ],
    ],
     
  };



parse( $rule_string ) The parse method is what interprets a plain text rule, and populates the rule object. Beacuse this module does not support the UNIX style line-continuations (backslash at the end of a line) the rule must be all on one line, otherwise the parse will fail in unpredictably interesting and confusing ways. The parse method tries to interpret the rule from left to right, calling the individual accessor methods for each rule element. This will overwrite the contents of the object (if any), so if you want to parse multiple rules at once, you will need multiple objects.



  $rule->parse($rule_string);



    METHODS FOR ACCESSING RULE ELEMENTS

You can access the core parts of a rule (action, protocol, source IP, etc) with the method of their name. These are read/write Class::Accessor accessors. If you want to read the value, don’t pass an argument. If you want to set the value, pass in the new value. In either case it returns the current value, or undef if the value has not been set yet.
action The rule action. Generally one of the following: alert, pass, drop, sdrop, or log.
proto The protocol of the rule. Generally one of the following: tcp, udp, ip, or icmp.
src The source IP address for the rule. Generally a dotted decimal IP address, Snort $HOME_NET variable, or CIDR block notation.
src_port The source port for the rule. Generally a static port, or a contigious range of ports.
direction The direction of the rule. One of the following: -> <> or <-.
dst The destination IP address for the rule. Same format as src
dst_port The destination port for the rule. Same format as src
opts ( $opts_array_ref )
opts ( $opts_string ) The opts method can be used to read existing options of a parsed rule, or set them. The method takes two forms of arguments, either an Array of Arrays, or a rule string.
$opts_array_ref


  $opts_array_ref = [
       [ msg => "perl 6 download detected\; may the world rejoice!" ],
       [ depth => 150 ],
       [ offset => 0 ].
       [ content => perl-6.0.0 ],
       [ nocase ],
  ]



$opts_string


  $opts_string=(msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;);



The parenthesis surround the series of key:value; pairs are optional.

    HELPER METHODS FOR VARIOUS OPTIONS

sid
rev
msg
classtype
gid
metadata
priority The these methods allow direct access to the rule option of the same name



  my $sid = $rule_obj->sid(); # reads the sid of the rule
  $rule_obj->sid($sid); # sets the sid of the rule
  ... etc ...



references The references method permits read-only access to the reference: options in the rule. This is in the form of an array of arrays, with each reference in the format



  [ reference_type => reference_value ]



To modify references, use the opts method to grab all the rule options, modify it to your needs, and use the opts method to save your changes back to the rule object.



  $references = $rule->references(); # just the references
  $no_references = grep { $_->[0] != "reference" } @{ $rule->opts() }; # everything but the references



as_string The as_string method returns a string that matches the normal Snort rule form of the object. This is what you want to use to write a rule to an output file that will be read by Snort.

AUTHOR

Richard G Harman Jr, <perl-cpan at richardharman.com>

BUGS

Please report any bugs or feature requests to bug-parse-snort at rt.cpan.org, or through the web interface at <http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Parse-Snort>. I will be notified, and then you’ ll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.



    perldoc Parse::Snort



You can also look for information at:
o AnnoCPAN: Annotated CPAN documentation

<http://annocpan.org/dist/Parse-Snort>

o CPAN Ratings

<http://cpanratings.perl.org/d/Parse-Snort>

o RT: CPAN’s request tracker

<http://rt.cpan.org/NoAuth/Bugs.html?Dist=Parse-Snort>

o Search CPAN

<http://search.cpan.org/dist/Parse-Snort>

DEPENDENCIES

Test::More, Class::Accessor, List::Util

ACKNOWLEDGEMENTS

MagNET #perl for putting up with me :)

COPYRIGHT & LICENSE

Copyright 2007 Richard Harman, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 PARSE::SNORT (3) 2011-05-20

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.