Parse::Snort - Parse and create Snort rules
Version 0.01
use Parse::Snort;
my $rule = Parse::Snort->new(
action => 'alert',
proto => 'tcp',
src => '$HOME_NET', src_port => 'any',
direction => '->'
dst =>'$EXTERNAL_NET', dst_port => 'any'
);
$rule->action("pass");
$rule->opts(
[ 'depth' => 50 ],
[ 'offset' => 0 ],
[ 'content' => "perl6" ],
[ "nocase" ]
);
my $rule = Parse::Snort->new();
$rule->parse('pass tcp $HOME_NET any -> $EXTERNAL_NET 6667;');
$rule->msg("IRC server");
my $rule_string = $rule->as_string;
);
The following methods can be used to read or modify parts of a rule.
This function will create a new Parse::Snort object. You may pass nothing, a string containing a properly formatted Snort rule, or a gash reference of rule elements and options.
$rule_string = 'alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)'
$rule_element_hashref = {
action => 'alert',
proto => 'tcp',
src => '$EXTERNAL_NET', src_port => 'any',
direction => '->',
dst => '$HOME_NET', dst_port => 'any',
opts => [
[ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
[ 'depth' => 150 ],
[ 'offset' => 0 ].
[ 'content' => 'perl-6.0.0' ],
[ 'nocase' ],
],
};
The parse method can be used to parse a snort rule string after new() has been called. The rule object will be populated with the parsed version of $rule_string, overwriting any previously defined values in the object.
$rule_object->parse($rule_string);
The following methods read or modify the various rule elements.
The rule action. Generally one of the following: alert, pass, drop, sdrop, or log.
The protocol of the rule. Generally one of the following: tcp, udp, ip, or icmp.
The source IP address for the rule. Generally a dotted decimal IP address, Snort $HOME_NET variable, or CIDR block notation.
The source port for the rule. Generally a static port, or a contigious range of ports.
The direction of the rule. One of the following: -> <> or <-.
The destination IP address for the rule. Same format as src
The destination port for the rule. Same format as src
The opts method can be used to read existing options of a parsed rule, or set them. The method takes two forms of arguments, either an Array of Arrays, or a rule string.
$opts_array_ref = [
[ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
[ 'depth' => 150 ],
[ 'offset' => 0 ].
[ 'content' => 'perl-6.0.0' ],
[ 'nocase' ],
]
$opts_string='(msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)';
The parenthesis surround the series of key:value; pairs are optional.
The sid, rev, msg, and classtype methods allow direct access to the rule option of the same name
my $sid = $rule_obj->sid(); # reads the sid of the rule $rule_obj->sid($sid); # sets the sid of the rule ... etc ...
The references method returns an array reference of the references in the rule. Each reference is an array, in [ 'reference_type' => 'reference_value' ] format. To modify references, use the opts method.
The as_string method returns a string that matches the normal Snort rule form of the object. This is what you want to use to write a rule to an output file that will be read by Snort.
Richard G Harman Jr, <perl-cpan at richardharman.com>
Please report any bugs or feature requests to bug-parse-snort at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Parse-Snort. I will be notified, and then you' ll automatically be notified of progress on your bug as I make changes.
You can find documentation for this module with the perldoc command.
perldoc Parse::Snort
You can also look for information at:
Test::More, Class::Accessor, List::Util
MagNET #perl for putting up with me :)
Copyright 2007 Richard Harman, all rights reserved.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
