NAME

Parse::Snort - Parse and create Snort rules

VERSION

Version 0.01

SYNOPSIS

    use Parse::Snort;

    my $rule = Parse::Snort->new(
      action => 'alert',
      proto => 'tcp',
      src => '$HOME_NET', src_port => 'any',
      direction => '->'
      dst =>'$EXTERNAL_NET', dst_port => 'any'
    );

    $rule->action("pass");

    $rule->opts(
	[ 'depth' => 50 ],
	[ 'offset' => 0 ],
	[ 'content' => "perl6" ],
	[ "nocase" ]
    );

    my $rule = Parse::Snort->new();
    $rule->parse('pass tcp $HOME_NET any -> $EXTERNAL_NET 6667;');
    $rule->msg("IRC server");
    my $rule_string = $rule->as_string;
);

METHODS

The following methods can be used to read or modify parts of a rule.

new($rule_string), new($rule_element_ref)

This function will create a new Parse::Snort object. You may pass nothing, a string containing a properly formatted Snort rule, or a gash reference of rule elements and options.

$rule_string

$rule_string = 'alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)'

$rule_element_hashref

$rule_element_hashref = {
  action => 'alert',
  proto => 'tcp',
  src => '$EXTERNAL_NET', src_port => 'any',
  direction => '->',
  dst => '$HOME_NET', dst_port => 'any',
  opts => [
  	[ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
  	[ 'depth' => 150 ],
  	[ 'offset' => 0 ].
  	[ 'content' => 'perl-6.0.0' ],
  	[ 'nocase' ],
  ],
    
};

parse($rule_string)

The parse method can be used to parse a snort rule string after new() has been called. The rule object will be populated with the parsed version of $rule_string, overwriting any previously defined values in the object.

$rule_object->parse($rule_string);

METHODS FOR RULE ELEMENTS

The following methods read or modify the various rule elements.

action

The rule action. Generally one of the following: alert, pass, drop, sdrop, or log.

proto

The protocol of the rule. Generally one of the following: tcp, udp, ip, or icmp.

src

The source IP address for the rule. Generally a dotted decimal IP address, Snort $HOME_NET variable, or CIDR block notation.

src_port

The source port for the rule. Generally a static port, or a contigious range of ports.

direction

The direction of the rule. One of the following: -> <> or <-.

dst

The destination IP address for the rule. Same format as src

dst_port

The destination port for the rule. Same format as src

opts($opts_array_ref), opts($opts_string)

The opts method can be used to read existing options of a parsed rule, or set them. The method takes two forms of arguments, either an Array of Arrays, or a rule string.

$opts_array_ref

$opts_array_ref = [
     [ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
     [ 'depth' => 150 ],
     [ 'offset' => 0 ].
     [ 'content' => 'perl-6.0.0' ],
     [ 'nocase' ],
]

$opts_string

$opts_string='(msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)';

The parenthesis surround the series of key:value; pairs are optional.

HELPER METHODS FOR OPTIONS

sid, rev, msg, classtype

The sid, rev, msg, and classtype methods allow direct access to the rule option of the same name

my $sid = $rule_obj->sid(); # reads the sid of the rule
$rule_obj->sid($sid); # sets the sid of the rule
... etc ...

references

The references method returns an array reference of the references in the rule. Each reference is an array, in [ 'reference_type' => 'reference_value' ] format. To modify references, use the opts method.

as_string

The as_string method returns a string that matches the normal Snort rule form of the object. This is what you want to use to write a rule to an output file that will be read by Snort.

AUTHOR

Richard G Harman Jr, <perl-cpan at richardharman.com>

BUGS

Please report any bugs or feature requests to bug-parse-snort at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Parse-Snort. I will be notified, and then you' ll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Parse::Snort

You can also look for information at:

AnnoCPAN: Annotated CPAN documentation

http://annocpan.org/dist/Parse-Snort
CPAN Ratings

http://cpanratings.perl.org/d/Parse-Snort
RT: CPAN's request tracker

http://rt.cpan.org/NoAuth/Bugs.html?Dist=Parse-Snort
Search CPAN

http://search.cpan.org/dist/Parse-Snort

DEPENDENCIES

Test::More, Class::Accessor, List::Util

ACKNOWLEDGEMENTS

MagNET #perl for putting up with me :)

COPYRIGHT & LICENSE

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install Parse::Snort, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Parse::Snort

CPAN shell

perl -MCPAN -e shell
install Parse::Snort

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)