I've attempted writing a PERL program in which 10 snort rules are stored in a notepad file named "sample.txt". Snort rules are divided into two parts.Rule headers + rule options.What I'll do is extract only the header part from each of those 10 rules, convert all 10 into hex and store it into a notepad file "camdata.txt" in new lines.Now,how will I distinguish the header part from the options part? Header part always starts with the first word ,viz. "alert" ,till the first opening bracket is encountered. The opening bracket signifies the beginning of the options part in which I'm not interested, and don't want to extract from there on.I want to extract the header part out of all those 10 rules. I've commented rule names and mentioned them serial wise. Please note I'm a novice to PERL. Problems I'm facing is
1) The commented section is also getting printed.I don't want that.
2) It's erratically printing only the first header and not the remaining nine.
Below is my "sample.txt"
# 1) icmp rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; classtype:attempted-recon; sid:465; rev:6;)
# 2) p2p rule alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"PHISHING-SPAM younglaugh.ru known spam email attempt"; flow:to_server, established; content:"younglaugh.ru"; nocase; classtype:policy-violation; sid:17003; rev:3;)
# 3) pop3 rules alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:14;)
# 4) SCADA rules alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:"SCADA CitectSCADA ODBC buffer overflow attempt"; flow:established,to_server; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>=,225,0,relative; metadata:policy security-ips drop; reference:bugtraq,29634; reference:cve,2008-2639; reference:url,www.citect.com/index.php?option=com_content&task=view&id=1374&Itemid=223; classtype:attempted-admin; sid:14265; rev:4;)
# 5) SMTP rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execution attempt"; flow:to_server,established; content:"<iframe"; nocase; pcre:"/^\s*^\x3e*src\s*\x3d\s*\x22\x27^\x22\x27*javascript\x3a/iR"; metadata:policy security-ips drop; reference:bugtraq,16770; reference:cve,2006-0884; classtype:attempted-user; sid:16038; rev:4;)
# 6) spyware-put rules alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dropspam runtime detection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:7;)
# 7) voip rules alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"VOIP-SKINNY-TCP Asterisk data length field overflow attempt"; flow:established,to_server; dsize:>992; byte_test:4,>,992,0,little; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:12359; rev:7;)
# 8) web cgi rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:17;)
# 9) specific threats rules alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; within:8; distance:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:7;)
# 10) SQL rules alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:8;)
my $rulesdir = "C:\\Snort\\rules"; my @rulefiles = glob "$rulesdir/sample.txt"; my @headers; for my $rulefile (@rulefiles){ open my $INFILE, "<", $rulefile or die "Can't open $rulefile $!"; my $header; while ( my $line = <$INFILE> ) { # see if this line contains opening bracket if ( $line =~ m/\(/ ) { my $pos = index( $line, '(' ); last unless $pos > 0; $header .= substr( $line, 0, $pos ); last; } else { $header .= $line; } } close $INFILE; push( @headers, $header ) if $header; } for my $header ( @headers ) { print "\nHeader:\n$header\n"; # now process the header } # Adding hex conversion part here. Still adding to "camdata.txt" has n +ot been accomplished for $header(@headers){ $pipe = 0; # hex patterns are limited by pipes; |00 bc 55| $char = ""; # Current character in header; ASCII or hex $pattern = ""; # header converted to hex # Loop through current header-string for ($i=0; $i<=length($header)-1; $i++){ # -1 for newline || Need mo +re elaboration $char = substr($header, $i, 1); # || substr EXPR,OFFSET,LENGTH Retu +rns from position i, only one bit from the header string # Control over pipes if($char =~ /\|/){ if(!$pipe){ $pipe = 1; } else { $pipe = 0; } next; # Skip to next character } # Convert to lowcase hex if(!$pipe){ # ASCII-value $pattern .= sprintf("%x", ord($char)); } else { # hex-value $char =~ s/ //; # Remove blanks $pattern .= "\l$char"; } } # Store converted pattern if((length($pattern) >= $minLength*2) && (length($pattern) <= $maxLength*2)){ $hexPatterns{$pattern} = "dummyValue"; # Keys will be distinct } } # Print patterns, that have no subsets, to file open(OUTFILE, ">".$camfile) or die "Can't open ".$camfile."\n"; @patterns = keys %hexPatterns; $count = 0; # Count patterns that are written to file HEXLOOP: for($i=0; $i<=$#patterns; $i++){ for($j=0; $j<=$#patterns; $j++){ # Search for subsets next if($i==$j); # Do not compare a pattern with itself next HEXLOOP if # Skip if subset is found ((length($patterns[$i]) <= length($patterns[$j])) && ($patterns[$j] =~ /$patterns[$i]/)); } print OUTFILE $patterns[$i]."\n"; $count++; } close(OUTFILE); # msg print "\n". " Wrote ".$count." patterns to file: \"".$camfile."\"\n". "\n"; # Is the hex part being added to camdata.txt as it is?
In reply to File handling - Reading 10 Snort rules from text file,converting them to hex, and storing onto another text file by edison.pioneer
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |