edison.pioneer has asked for the wisdom of the Perl Monks concerning the following question:

I've attempted writing a PERL program in which 10 snort rules are stored in a notepad file named "sample.txt". Snort rules are divided into two parts.Rule headers + rule options.What I'll do is extract only the header part from each of those 10 rules, convert all 10 into hex and store it into a notepad file "camdata.txt" in new lines.Now,how will I distinguish the header part from the options part? Header part always starts with the first word ,viz. "alert" ,till the first opening bracket is encountered. The opening bracket signifies the beginning of the options part in which I'm not interested, and don't want to extract from there on.I want to extract the header part out of all those 10 rules. I've commented rule names and mentioned them serial wise. Please note I'm a novice to PERL. Problems I'm facing is

1) The commented section is also getting printed.I don't want that.

2) It's erratically printing only the first header and not the remaining nine.

Below is my "sample.txt"

# 1) icmp rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; classtype:attempted-recon; sid:465; rev:6;)

# 2) p2p rule alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"PHISHING-SPAM younglaugh.ru known spam email attempt"; flow:to_server, established; content:"younglaugh.ru"; nocase; classtype:policy-violation; sid:17003; rev:3;)

# 3) pop3 rules alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:14;)

# 4) SCADA rules alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:"SCADA CitectSCADA ODBC buffer overflow attempt"; flow:established,to_server; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>=,225,0,relative; metadata:policy security-ips drop; reference:bugtraq,29634; reference:cve,2008-2639; reference:url,www.citect.com/index.php?option=com_content&task=view&id=1374&Itemid=223; classtype:attempted-admin; sid:14265; rev:4;)

# 5) SMTP rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execution attempt"; flow:to_server,established; content:"<iframe"; nocase; pcre:"/^\s*^\x3e*src\s*\x3d\s*\x22\x27^\x22\x27*javascript\x3a/iR"; metadata:policy security-ips drop; reference:bugtraq,16770; reference:cve,2006-0884; classtype:attempted-user; sid:16038; rev:4;)

# 6) spyware-put rules alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:7;)

# 7) voip rules alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"VOIP-SKINNY-TCP Asterisk data length field overflow attempt"; flow:established,to_server; dsize:>992; byte_test:4,>,992,0,little; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:12359; rev:7;)

# 8) web cgi rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:17;)

# 9) specific threats rules alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; within:8; distance:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:7;)

# 10) SQL rules alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:8;) 



my $rulesdir = "C:\\Snort\\rules";
my @rulefiles = glob "$rulesdir/sample.txt";



my @headers;
for my $rulefile (@rulefiles){
    open my $INFILE, "<", $rulefile or die "Can't open  $rulefile $!";
    my $header;
    while ( my $line = <$INFILE> ) {
        # see if this line contains opening bracket
        if ( $line =~ m/\(/ ) {
            my $pos = index( $line, '(' );
            last unless $pos > 0;
            $header .= substr( $line, 0, $pos );
            last;
        }
        else {
            $header .= $line;
        }
    }
    close $INFILE;
    push( @headers, $header ) if $header;
}

for my $header ( @headers ) {
    print "\nHeader:\n$header\n";
    
    # now process the header
}



# Adding hex conversion part here. Still adding to "camdata.txt" has n
+ot been accomplished

for $header(@headers){

 $pipe = 0; # hex patterns are limited by pipes; |00 bc 55|
 $char = ""; # Current character in header; ASCII or hex
 $pattern = ""; # header converted to hex

 # Loop through current header-string
 for ($i=0; $i<=length($header)-1; $i++){ # -1 for newline  || Need mo
+re elaboration

 $char = substr($header, $i, 1);  #  || substr EXPR,OFFSET,LENGTH Retu
+rns from position i, only one bit from the header string

 # Control over pipes
 if($char =~ /\|/){
 if(!$pipe){
 $pipe = 1;
 }
 else {
 $pipe = 0;
 }
 next; # Skip to next character
 }

# Convert to lowcase hex
 if(!$pipe){ # ASCII-value
 $pattern .= sprintf("%x", ord($char));
 }
 else { # hex-value
 $char =~ s/ //; # Remove blanks
 $pattern .= "\l$char";
 }
 }

 # Store converted pattern
 if((length($pattern) >= $minLength*2) &&
 (length($pattern) <= $maxLength*2)){
 $hexPatterns{$pattern} = "dummyValue"; # Keys will be distinct
 }
 }
# Print patterns, that have no subsets, to file
 open(OUTFILE, ">".$camfile) or die
 "Can't open ".$camfile."\n";

 @patterns = keys %hexPatterns;
$count = 0; # Count patterns that are written to file

 HEXLOOP:
 for($i=0; $i<=$#patterns; $i++){
 for($j=0; $j<=$#patterns; $j++){ # Search for subsets

 next if($i==$j); # Do not compare a pattern with itself

 next HEXLOOP if # Skip if subset is found
 ((length($patterns[$i]) <= length($patterns[$j])) &&
 ($patterns[$j] =~ /$patterns[$i]/));
 }
 print OUTFILE $patterns[$i]."\n";
$count++;
 }

 close(OUTFILE);
 
 # msg
print
 "\n".
 " Wrote ".$count." patterns to file: \"".$camfile."\"\n".
 "\n";
 
 
 # Is the hex part being added to camdata.txt as it is?

[download]
  • Comment on File handling - Reading 10 Snort rules from text file,converting them to hex, and storing onto another text file
  • Download Code

Replies are listed 'Best First'.
Re: File handling - Reading 10 Snort rules from text file,converting them to hex, and storing onto another text file
by roboticus (Chancellor) on Jul 23, 2015 at 11:03 UTC

    ...and also put your sample data in code tags, too. This way people have a chance at reproducing the problem.

    I added strict & warnings and put in the required declarations. But when I gave it your rules file, it just printed a couple warnings (because it tried to use undefined values as numbers) and then stopped without doing anything, like so:

    Header:
1) icmp rule alert icmp $EXTERNAL_NET any -> $HOME_NET any
Use of uninitialized value $minLength in multiplication (*) at 1135963
+.pl line 78, <DATA> line 1.
Use of uninitialized value $maxLength in multiplication (*) at 1135963
+.pl line 78, <DATA> line 1.

 Wrote 0 patterns to file: "UNSPECIFIED"

    [download]

    Because I can't trust the sample data, and can't read your code with the hideous indenting, that's all the further I cared to go to try to find what your problem might be.

    Update: fixed cut & paste error (left off final line of output) and rephrased a bit for clarity.

    ...roboticus

    When your only tool is a hammer, all problems look like your thumb.

[reply]
[d/l]
Re: File handling - Reading 10 Snort rules from text file,converting them to hex, and storing onto another text file
by Laurent_R (Canon) on Jul 23, 2015 at 10:26 UTC
    Hi edison.pioneer,

    you haven't followed the advice given to you in answers to your previous post:

    • use strict; use warnings and declare your variables with my
    • indent your code consistently.
[reply]
[d/l]
[select]
Re: File handling - Reading 10 Snort rules from text file,converting them to hex, and storing onto another text file
by 1nickt (Canon) on Jul 23, 2015 at 13:03 UTC

    Second point: Your sample data should be inside <code></code> tags. As it is we can't tell what it really is: do the lines numbers exist in the file, or did you add them for your post?

    Third point: Not much sense in globbing and looping through an array when there is only one file.

    First point: Simplify your data and your code until it works. Then add back in.

    Here is an example of what you should do to make a simple test. 

    #! perl -w
use strict;
use Path::Tiny qw/ path /;

my $file  = '1135963.txt';
my @lines = path( $file )->lines( { chomp => 1 } );

foreach my $line ( @lines ) { 
  if ( $line =~ m/^([^(]+)/ ) { 
    print "$1\n";
  }
}

__END__

    [download]

    Where your file is: 

    cmp rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS 
+Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; classtype:attempted-r
+econ; sid:465; rev:6;)
p2p rule alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"PHISHING-SP
+AM younglaugh.ru known spam email attempt"; flow:to_server, establish
+ed; content:"younglaugh.ru"; nocase; classtype:policy-violation; sid:
+17003; rev:3;)
pop3 rules alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DEL
+E negative argument attempt"; flow:to_server,established; content:"DE
+LE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,60
+53; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus
+,11570; classtype:misc-attack; sid:2121; rev:14;)
SCADA rules alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:"SCADA
+ CitectSCADA ODBC buffer overflow attempt"; flow:established,to_serve
+r; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>=,225,0,relative
+; metadata:policy security-ips drop; reference:bugtraq,29634; referen
+ce:cve,2008-2639; reference:url,www.citect.com/index.php?option=com_c
+ontent&task=view&id=1374&Itemid=223; classtype:attempted-admin; sid:1
+4265; rev:4;)
SMTP rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP 
+Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execut
+ion attempt"; flow:to_server,established; content:"<iframe"; nocase; 
+pcre:"/^\s*^\x3e*src\s*\x3d\s*\x22\x27^\x22\x27*javascript\x3a/iR"; m
+etadata:policy security-ips drop; reference:bugtraq,16770; reference:
+cve,2006-0884; classtype:attempted-user; sid:16038; rev:4;)
spyware-put rules alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
+ (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - third party 
+information collection"; flow:to_server,established; content:"/d/sr/?
+"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yar
+gs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; 
+content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header;
+ metadata:policy balanced-ips drop, policy connectivity-ips drop, pol
+icy security-ips drop; reference:url,www.spywareguide.com/product_sho
+w.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.as
+px?id=453097437; classtype:misc-activity; sid:5938; rev:7;)
voip rules alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"VOIP
+-SKINNY-TCP Asterisk data length field overflow attempt"; flow:establ
+ished,to_server; dsize:>992; byte_test:4,>,992,0,little; reference:bu
+gtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.co
+m/exploits/2597; classtype:attempted-user; sid:12359; rev:7;)
web cgi rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
+ (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:t
+o_server,established; content:"/hsx.cgi"; http_uri; content:"../../";
+ content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,200
+1-0253; reference:nessus,10602; classtype:web-application-attack; sid
+:803; rev:17;)
specific threats rules alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HO
+ME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows GDI+ TIFF file pa
+rsing heap overflow attempt"; flow:to_client,established; flowbits:is
+set,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; within
+:8; distance:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; co
+ntent:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:p
+olicy balanced-ips drop, policy security-ips drop, service http; refe
+rence:cve,2009-2502; reference:url,technet.microsoft.com/en-us/securi
+ty/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:7;)
SQL rules alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp
+_start_job - program execution"; flow:to_server,established; content:
+"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth
+:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:8;)

    [download]
    The way forward always starts with a minimal test.
[reply]
[d/l]
[select]
      Yes, the line numbers I purposefully added in the text file so as to easily distinguish.
[reply]

Back to Seekers of Perl Wisdom