NAME

Snort::Rule - Perl extension for dynamically building snort rules

SYNOPSIS

  use Snort::Rule;
  $rule = Snort::Rule->new(
				action	=> 'alert',
				proto	=> 'tcp',
				src	=> 'any',
				sport	=> 'any',
				dir	=> '->',
				dst	=> '192.188.1.1',
				dport	=> '44444',
			);
  $rule->opts('msg','Test Rule"');
  $rule->opts('threshold','type limit,track by_src,count 1,seconds 3600');
  $rule->opts('sid','500000');

  print $rule->string()."\n";

  OR

  $rule = 'alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;)';

  $rule = Snort::Rule->new(parse => $rule);
  print $rule->string()."\n";

DESCRIPTION

This is a very simple snort rule object. It was developed to allow for scripted dynamic rule creation. Ideally you could dynamically take a list of bad hosts and build an array of snort rule objects from that list. Then write that list using the string() method to a snort rules file.

OBJECT METHODS

new

Reads in the initial headers to generate a rule and constructs the snort::rule object around it

action

Sets and returns the rule action [alert,log,pass,...]
$rule->action('alert');

proto

Sets and returns the protocol used in the rule [tcp,icmp,udp]
$rule->proto('tcp');

src

Sets and returns the source used in the rule
$rule->proto('$EXTERNAL_NET');

sport

Sets and returns the source port used in the rule
$rule->sport(80);

dir

Sets and returns the direction operator used in the rule, -> <- or <>
$rule->dir('->');

dst

Sets and returns the destination used in the rule
$rule->dst('$HOME_NET');
$rule->dst('192.168.1.1');

dport

Sets and returns the destination port used in the rule
$rule->dport(6667);

opts

Sets an option and a value used in the rule.
This currently can only be done one set at a time, and is printed in the order it was set.

$rule->opts(option,value);
$rule->opts('msg','this is a test rule');

my $hashref = $rule->opts();
This will return a hashref: $hashref->{$keyOrderValue}->{option} and $hashref->{$keyOrderValue}->{value}

There is a fixQuotes() function that reads through this information before setting it, just to ensure the right options are sane. It's a very very basic function, but it seems to get the job done.

string

Outputs the rule in string form.

AUTHOR

Wes Young, <saxguard9-cpan@yahoo.com>

COPYRIGHT AND LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.

To install Snort::Rule, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Snort::Rule

CPAN shell

perl -MCPAN -e shell
install Snort::Rule

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)