GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  SNORT::RULE (3)

.ds Aq ’

NAME

Snort::Rule - Perl extension for dynamically building snort rules

CONTENTS

SYNOPSIS



  use Snort::Rule;
  $rule = Snort::Rule->new(
        -action => alert,
        -proto  => tcp,
        -src    => any,
        -sport  => any,
        -dir    => ->,
        -dst    => 192.188.1.1,
        -dport  => 44444,
  );

  $rule->opts(msg,Test Rule");
  $rule->opts(threshold,type limit,track by_src,count 1,seconds 3600);
  $rule->opts(sid,500000);

  print $rule->string()."\n";

  OR

  $rule = alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;);

  $rule = Snort::Rule->new(-parse => $rule);
  print $rule->string()."\n";



DESCRIPTION

This is a very simple snort rule object. It was developed to allow for scripted dynamic rule creation. Ideally you could dynamically take a list of bad hosts and build an array of snort rule objects from that list. Then write that list using the string() method to a snort rules file.

OBJECT METHODS

    new

Reads in the initial headers to generate a rule and constructs the snort::rule object around it.

Accepts:



  -action => [string] ? [alert|log|pass|...] : alert
  -proto => [string] ? [ip|udp|tcp|...] : IP
  -src => [string] ? [$strIp] : any
  -sport => [int] ? [$sport] : any
  -dir => [string] ? [->|<-|<>] : ->
  -dst => [string] ? [$strIp] : any
  -dport => [int] ? [$dport] : any
  -opts => [hashref] ? [hashref] : ;

  -parse => $strRule # for parsing an existing rule into the object



Returns: OBJECTREF

    string

Outputs the rule in string form.



  print $sr->string()."\n";



Prints options only string:



  print $sr->string(-optionsOnly => 1)."\n";



    action

Sets and returns the rule action [alert,log,pass,...]



  $rule->action(alert);



    proto

Sets and returns the protocol used in the rule [tcp,icmp,udp]



  $rule->proto(tcp);



    src

Sets and returns the source used in the rule. Make sure you use SINGLE QUOTES for variables!!!



  $rule->src($EXTERNAL_NET);



    sport

Sets and returns the source port used in the rule



  $rule->sport(80);



    dir

Sets and returns the direction operator used in the rule, -> <- or <>



  $rule->dir(->);



    dst

Sets and returns the destination used in the rule



  $rule->dst($HOME_NET);
  $rule->dst(192.168.1.1);



    dport

Sets and returns the destination port used in the rule



  $rule->dport(6667);



    opts

Sets an option and a value used in the rule. This currently can only be done one set at a time, and is printed in the order it was set.



  $rule->opts(option,value);
  $rule->opts(msg,this is a test rule);



This will return a hashref: $hashref->{$keyOrderValue}->{option} and $hashref->{$keyOrderValue}->{value}



  my $hashref = $rule->opts();



There is a fixQuotes() function that reads through this information before setting it, just to ensure the right options are sane. It’s a very very basic function, but it seems to get the job done.

This method will also accept HASHREF’s for easier use:



  $rule->opts({
        msg     => test1,
        rev     => 222,
        content => Subject|3A|,
        nocase => ,
  });

  By passing an option => , the parser will set its value to "". When $self->string() is called, the option will be written as: option;
  ex: nocase => , will result in an option output of: ...., nocase; ...



    opt

Gets the value of the first option with a given name.



  $rule->opt(option);
  print $rule->opt(sid) . :  . $rule->opt(msg);



AUTHOR

Wes Young, <saxguard9-cpan@yahoo.com>

COPYRIGHT AND LICENSE

Copyright (C) 2006 by Wes Young

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.

Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 SNORT::RULE (3) 2008-10-27

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.