Snort::Rule 1.03 review
DownloadSnort::Rule is a Perl extension for dynamically building snort rules. SYNOPSIS use Snort::Rule; $rule = Snort::Rule->new(
|
|
Snort::Rule is a Perl extension for dynamically building snort rules.
SYNOPSIS
use Snort::Rule;
$rule = Snort::Rule->new(
-action => 'alert',
-proto => 'tcp',
-src => 'any',
-sport => 'any',
-dir => '->',
-dst => '192.188.1.1',
-dport => '44444',
);
$rule->opts('msg','Test Rule"');
$rule->opts('threshold','type limit,track by_src,count 1,seconds 3600');
$rule->opts('sid','500000');
print $rule->string()."n";
OR
$rule = 'alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOPsSECRET|TS)//[sw,/-]*PROPIN[sw,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;)';
$rule = Snort::Rule->new(-parse => $rule);
print $rule->string()."n";
This is a very simple snort rule object. It was developed to allow for scripted dynamic rule creation. Ideally you could dynamically take a list of bad hosts and build an array of snort rule objects from that list. Then write that list using the string() method to a snort rules file.
Requirements:
Perl
Snort::Rule 1.03 search tags