Extending Rule.Parse Functionality #4
Comments
|
Thanks so much for the request. I believe that, once upon a time, I did support getting and setting options by name, but then abandoned it because you can have multiple options with the same name and the order of the options was important. So, I just added the feature that when options are added to the options array, it recalculates an options_hash. The options_hash can passed a key to get an answer, e.g., rule.options_hash["http_method"] => "GET" . Please take a look at the readme and let me know if I have satisfied what you where looking for. |
|
Ryan, |
|
Thanks Chris. I am testing. I am able to access different options elements when the format is "key:value". Take this rule for example - alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011216; classtype:web-application-attack; sid:2011216; rev:3;) I am able to use "puts rule.options_hash["content"].to_s" to get the content data however the Snort rule syntax where there is a qualifier after the conent is a bit trickier... For instance - content:"GET"; http_method; These two elements are "linked". If I use - puts rule.options_hash["http_method"].to_s - it comes back blank as there is no "value" for the key. Any ideas for how to approach this? |
|
Please give me a little more time to come back to this. |
|
I think that I have a solution, it's going to take a little time to implement. |
|
@rcbarnett I just pushed out version 1.3.0. Could you give that a try and see if it meets your needs now? I've updated (and remembered to test this time) the README with examples. |
I am testing out the functionality of Snort::Rule.parse( to parse a Snort signature. I am able to extract out the main parts such as rule.action, rule.proto, etc.. There doesn't seem to be a way to parse out the different elements of the options data. For instance - consider this Snort rule -
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/prodshow.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:4;)
I can do this to print out the options portion -
open the rule file
@content = File.read(rulefile)
@content.each_line do |signature|
next if signature =~ /(?:^\s+$|^#)/
rule = Snort::Rule.parse(signature)
puts rule.options.to_s
end
This would result in -
[msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection";, flow:to_server,established;, content:"GET";, http_method;, content:"/prodshow.php?";, nocase;, http_uri;, content:"id=";, nocase;, http_uri;, content:"UNION";, nocase;, http_uri;, content:"SELECT";, nocase;, http_uri;, pcre:"/UNION.+SELECT/Ui";, reference:bugtraq,32043;, reference:url,frsirt.com/english/advisories/2008/2976;, reference:url,doc.emergingthreats.net/2008837;, classtype:web-application-attack;, sid:2008837;, rev:4
;]
I would like to be able to access other option elements such as -
rule.http_method => "GET"
rule.http_uri => "/prodshow.php?"
Could you extend the current functionality?
Thanks.
The text was updated successfully, but these errors were encountered: