1NAME
2 Parse::Snort - Parse and create Snort rules
3
4VERSION
5 Version 0.05
6
7SYNOPSIS
8 use Parse::Snort;
9
10 my $rule = Parse::Snort->new(
11 action => 'alert',
12 proto => 'tcp',
13 src => '$HOME_NET', src_port => 'any',
14 direction => '->'
15 dst =>'$EXTERNAL_NET', dst_port => 'any'
16 );
17
18 $rule->action("pass");
19
20 $rule->opts(
21 [ 'depth' => 50 ],
22 [ 'offset' => 0 ],
23 [ 'content' => "perl6" ],
24 [ "nocase" ]
25 );
26
27 my $rule = Parse::Snort->new();
28 $rule->parse('pass tcp $HOME_NET any -> $EXTERNAL_NET 6667;');
29 $rule->msg("IRC server");
30 my $rule_string = $rule->as_string;
31 );
32
33METHODS
34 These are the object methods that can be used to read or modify any part
35 of a Snort rule. Please note: None of these methods provide any sort of
36 input validation to make sure that the rule makes sense, or can be
37 parsed at all by Snort.
38
39 new ()
40 Create a new "Parse::Snort" object, and return it. There are a
41 couple of options when creating the object:
42
43 new ( )
44 Create an unpopulated object, that can be filled in using the
45 individual rule element methods, or can be populated with the
46 parse method.
47
48 new ( $rule_string )
49 Create an object based on a plain text Snort rule, all on one
50 line. This module doesn't understand the UNIX style line
51 continuations (a backslash at the end of the line) that Snort
52 does.
53
54 $rule_string = 'alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)'
55
56 new ( $rule_element_hashref )
57 Create an object baesd on a prepared hash reference similar to
58 the internal strucutre of the Parse::Snort object.
59
60 $rule_element_hashref = {
61 action => 'alert',
62 proto => 'tcp',
63 src => '$EXTERNAL_NET', src_port => 'any',
64 direction => '->',
65 dst => '$HOME_NET', dst_port => 'any',
66 opts => [
67 [ 'msg' => '"perl 6 download detected\; may the world rejoice!"' ],
68 [ 'depth' => 150 ],
69 [ 'offset' => 0 ].
70 [ 'content' => 'perl-6.0.0' ],
71 [ 'nocase' ],
72 ],
73
74 };
75
76 parse( $rule_string )
77 The parse method is what interprets a plain text rule, and populates
78 the rule object. Beacuse this module does not support the UNIX style
79 line-continuations (backslash at the end of a line) the rule must be
80 all on one line, otherwise the parse will fail in unpredictably
81 interesting and confusing ways. The parse method tries to interpret
82 the rule from left to right, calling the individual accessor methods
83 for each rule element. This will overwrite the contents of the
84 object (if any), so if you want to parse multiple rules at once, you
85 will need multiple objects.
86
87 $rule->parse($rule_string);
88
89 METHODS FOR ACCESSING RULE ELEMENTS
90 You can access the core parts of a rule (action, protocol, source IP,
91 etc) with the method of their name. These are read/write Class::Accessor
92 accessors. If you want to read the value, don't pass an argument. If you
93 want to set the value, pass in the new value. In either case it returns
94 the current value, or undef if the value has not been set yet.
95
96 action
97 The rule action. Generally one of the following: "alert", "pass",
98 "drop", "sdrop", or "log".
99
100 proto
101 The protocol of the rule. Generally one of the following: "tcp",
102 "udp", "ip", or "icmp".
103
104 src The source IP address for the rule. Generally a dotted decimal IP
105 address, Snort $HOME_NET variable, or CIDR block notation.
106
107 src_port
108 The source port for the rule. Generally a static port, or a
109 contigious range of ports.
110
111 direction
112 The direction of the rule. One of the following: "-"> "<"> or "<-".
113
114 dst The destination IP address for the rule. Same format as "src"
115
116 dst_port
117 The destination port for the rule. Same format as "src"
118
119 opts ( $opts_array_ref )
120 opts ( $opts_string )
121 The opts method can be used to read existing options of a parsed
122 rule, or set them. The method takes two forms of arguments, either
123 an Array of Arrays, or a rule string.
124
125 $opts_array_ref
126 $opts_array_ref = [
127 [ 'msg' => '"perl 6 download detected\; may the world rejoice!"' ],
128 [ 'depth' => 150 ],
129 [ 'offset' => 0 ].
130 [ 'content' => 'perl-6.0.0' ],
131 [ 'nocase' ],
132 ]
133
134 $opts_string
135 $opts_string='(msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)';
136
137 The parenthesis surround the series of "key:value;" pairs are
138 optional.
139
140 HELPER METHODS FOR VARIOUS OPTIONS
141 sid
142 rev
143 msg
144 classtype
145 gid
146 metadata
147 priority
148 The these methods allow direct access to the rule option of the same
149 name
150
151 my $sid = $rule_obj->sid(); # reads the sid of the rule
152 $rule_obj->sid($sid); # sets the sid of the rule
153 ... etc ...
154
155 references
156 The "references" method permits read-only access to the "reference:"
157 options in the rule. This is in the form of an array of arrays, with
158 each reference in the format
159
160 [ 'reference_type' => 'reference_value' ]
161
162 To modify references, use the "opts" method to grab all the rule
163 options, modify it to your needs, and use the "opts" method to save
164 your changes back to the rule object.
165
166 $references = $rule->references(); # just the references
167 $no_references = grep { $_->[0] != "reference" } @{ $rule->opts() }; # everything but the references
168
169 as_string
170 The "as_string" method returns a string that matches the normal
171 Snort rule form of the object. This is what you want to use to write
172 a rule to an output file that will be read by Snort.
173
174AUTHOR
175 Richard G Harman Jr, "<perl-cpan at richardharman.com>"
176
177BUGS
178 Please report any bugs or feature requests to "bug-parse-snort at
179 rt.cpan.org", or through the web interface at
180 <http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Parse-Snort>. I will be
181 notified, and then you' ll automatically be notified of progress on your
182 bug as I make changes.
183
184SUPPORT
185 You can find documentation for this module with the perldoc command.
186
187 perldoc Parse::Snort
188
189 You can also look for information at:
190
191 * AnnoCPAN: Annotated CPAN documentation
192
193 <http://annocpan.org/dist/Parse-Snort>
194
195 * CPAN Ratings
196
197 <http://cpanratings.perl.org/d/Parse-Snort>
198
199 * RT: CPAN's request tracker
200
201 <http://rt.cpan.org/NoAuth/Bugs.html?Dist=Parse-Snort>
202
203 * Search CPAN
204
205 <http://search.cpan.org/dist/Parse-Snort>
206
207DEPENDENCIES
208 Test::More, Class::Accessor, List::Util
209
210ACKNOWLEDGEMENTS
211 MagNET #perl for putting up with me :)
212
213COPYRIGHT & LICENSE
214 Copyright 2007 Richard Harman, all rights reserved.
215
216 This program is free software; you can redistribute it and/or modify it
217 under the same terms as Perl itself.
218
219