Permalink
Browse files

Refactoring cerdo at some point,

so splitting into modules for cleaner and less code :)
  • Loading branch information...
1 parent 334afd0 commit fc424fb284e871ce1923742ac53681507c17c72d @gamelinux committed Oct 5, 2010
View
1 cerdo
@@ -75,6 +75,7 @@ our $MRULEDB = {};
our %DISABLEDB;
our %ENABLEDB;
+# s/Local/Cerdo/g # When ready!
use Local::State PO => '/var/lib/cerdo/state/cerdo-policy.state';
use Local::State SE => '/var/lib/cerdo/state/cerdo-sensor.state';
use Local::State SF => [ '/var/lib/cerdo/state/cerdo.state', readonly => 1 ];
View
@@ -0,0 +1,58 @@
+package Cerdo;
+
+$VERSION = "0.001";
+sub Version { $VERSION; }
+
+require 5.005;
+require Cerdo::ReadRules;
+require Cerdo::WriteRules;
+require Cerdo::FlowBits;
+require Cerdo::FetchRules;
+require Cerdo::State;
+#use Cerdo::Load ();
+
+1;
+
+_END__
+
+=head1 NAME
+
+Cerdo - The defacto TUI for handling snort rules!
+
+=head1 SYNOPSIS
+
+ use Cerdo;
+ print "This is Cerdo-$Cerdo::VERSION\n";
+
+=head1 DESCRIPTION
+
+ Cerdo aims at managing all your IPS/IDS sensor rulesets,
+ be it Suricata, Snort or others, from the console in a way
+ that gives you a more visual view then other console tools.
+
+=cut
+
+=head1 AUTHOR
+
+ Edward Fjellskaal <edwardfjellskaal@gmail.com>
+
+=head1 COPYRIGHT
+
+ Copyright (C) 2010, Edward Fjellskaal <edwardfjellskaal@gmail.com>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+=cut
+# ҈ ☃ ☠ ҉
View
@@ -0,0 +1,34 @@
+package Cerdo::Config;
+
+use strict;
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK);
+require Exporter;
+
+@EXPORT = qw(ALL);
+$VERSION = '0.1';
+
+=head2
+
+ Reads a Cerdo config file.
+ Takes $file as input.
+ Returns %hash with config options.
+
+=cut
+
+sub read_config {
+ my $file = shift;
+ my $config = {};
+
+ open(CONFIG,$file);
+ while (my $line = <CONFIG>) {
+ chomp($line);
+ $line =~ s/\#.*//;
+ next if undef $line;
+ # PARAMETER = SOME_VALUE
+ my ($key, $value) = ($line =~ m/(\w+)\s*=\s*(.*)$/);
+ $config->{$key} = $value;
+ }
+ return $config;
+}
+
+1;
View
No changes.
View
No changes.
View
No changes.
View
No changes.
View
@@ -0,0 +1,127 @@
+package Cerdo::ReadRules;
+
+use strict;
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK);
+require Exporter;
+
+@EXPORT = qw(ALL);
+$VERSION = '0.1';
+
+=head2 parse_all_rule_files
+
+ Opens all the rule files from the directories that is given to it,
+ parses them, and return $rules in a hash.
+ It takes a array list of directories as input.
+
+ Example:
+ my $rules = {};
+ my @dirs = ["/tmp/vrt/", "/tmp/et/", "/tmp/et-pro/"];
+ $rules = parse_all_rule_files (@dirs);
+
+=cut
+
+sub parse_all_rule_files {
+ my @DIRS = shift;
+ my @FILES;
+
+ # For each dir:
+
+ foreach my $DIR ( @DIRS ) {
+ # Open the directory
+ if( opendir( ODIR, $DIR ) ) {
+ # Find rule files in dir (*.rules)
+ while( my $FILE = readdir( ODIR ) ) {
+ next if( ( "." eq $FILE ) || ( ".." eq $FILE ) );
+ next unless ($FILE =~ /.*\.rules$/);
+ push( @FILES, $FILE ) if( -f "$DIR$FILE" );
+ }
+ closedir( ODIR );
+ } else {
+ warn "[!] Error opening dir: $DIR";
+ exit 1;
+ }
+ foreach my $FILE ( @FILES ) {
+ my $result = get_rules ("$DIR$FILE");
+ if ($result == 1) {
+ warn "[*] Couldn't parse $RULESDIR$FILE: $!\n";
+ }
+ }
+ }
+}
+
+=head2 get_rules
+
+ This sub extracts the rules from a rules file.
+ Takes $file as input parameter. Returns a %hash with rules.
+
+=cut
+
+sub get_rules {
+ my $RFILE = shift;
+ my $RDB = {};
+
+ if (open (FILE, $RFILE)) {
+ print "Found rules file: ".$RFILE."\n" if $DEBUG;
+ # Verify the rules in the rule files
+ LINE:
+ while (my $rule = readline FILE) {
+ chomp $rule;
+ next LINE unless($rule); # empty line
+
+ $rule =~ /^\#? ?(drop|alert|log|pass|activate|dynamic)\s+(\S+?)\s+(\S+?)\s+(\S+?)\s+(\S+?)\s+(\S+?)\s+(\S+?)\s+\((.*)\)$/;
+ my ($action, $proto, $sip, $sport, $dir, $dip, $dport, $options) = ($1, $2, $3, $4, $5, $6, $7, $8);
+ unless($rule) {
+ warn "[*] Error: Not a valid rule in: '$RFILE'" if $DEBUG;
+ warn "[*] RULE: $rule" if $DEBUG;
+ next LINE;
+ }
+
+ if (not defined $options) {
+ warn "[*] Error: Options missing in rule: '$RFILE'" if $DEBUG;
+ warn "[*] RULE: $rule" if $DEBUG;
+ next LINE;
+ }
+
+ # ET rules had at some point: "sid: 2003451;" Which is not illigal...
+ unless( $options =~ /sid:\s*([0-9]+)\s*;/ ) {
+ warn "[*] Error: No sid found in rule options: '$RFILE'" if $DEBUG;
+ warn "[*] RULE: $options" if $DEBUG;
+ next LINE;
+ }
+ my $sid = $1;
+
+ $options =~ /msg:\s*\"(.*?)\"\s*;/;
+ my $msg = $1;
+
+ $options =~ /rev:\s*(\d+?)\s*;/;
+ my $rev = $1;
+
+ my $enabled = 0;
+ # This also removes comments in rules (making them active)
+ if ( $rule =~ s/^# ?//g ) {
+ $enabled = 0;
+ } else {
+ $enabled = 1;
+ }
+ # Things should be "OK" now to send to the hash-DB
+ # push (@{$RDB{$sid}}, [ $rule ]);
+ $RDB->{$sid}->{'rule'} = $rule;
+ $RDB->{$sid}->{'enabled'} = $enabled;
+ $RDB->{$sid}->{'action'} = $action;
+ $RDB->{$sid}->{'protocol'} = $proto;
+ $RDB->{$sid}->{'src_ip'} = $sip;
+ $RDB->{$sid}->{'src_port'} = $sport;
+ $RDB->{$sid}->{'direction'} = $dir;
+ $RDB->{$sid}->{'dst_ip'} = $dip;
+ $RDB->{$sid}->{'dst_port'} = $dport;
+ $RDB->{$sid}->{'message'} = $msg;
+ $RDB->{$sid}->{'options'} = $options;
+ }
+ close FILE;
+ }
+ return $RDB;
+}
+
+
+
+1;
View
No changes.
View
No changes.
View
No changes.
View
@@ -0,0 +1,103 @@
+#
+# Copyright (C) 2002, 2007 by Peder Stray <peder@ifi.uio.no>
+# Copyright (C) 2010 by Edward Fjellskaal <edwardfjellskaal@gmail.com>
+#
+
+# use Cerdo::State C => 'jalla.conf';
+# C => [ 'jalla.conf', readonly => 1 ]
+
+package Cerdo::State;
+
+use strict;
+use Data::Dumper;
+use Carp;
+
+my %namespace;
+
+sub import {
+ my($class, %ns) = @_;
+
+ for my $ns (keys %ns) {
+ my($ret,$file,%opt);
+
+ $file = $ns{$ns};
+ ($file,%opt) = @$file if ref $file;
+
+ $ret = do $file;
+
+ if ($@) {
+ croak "Parse failed for $file:\n $@";
+ next;
+ }
+
+# warn "couldn't do $file: $!" unless defined $ret;
+# warn "couldn't run $file" unless $ret;
+
+ if ($ret && $ret =~ /\D/ && $ret ne $ns) {
+ no strict 'refs';
+ *{$ns.'::'} = \%{$ret.'::'};
+ *{$ret.'::'} = {};
+ }
+
+ $namespace{$ns} = {
+ file => $file,
+ write => !$opt{readonly},
+ };
+ }
+}
+
+END {
+ my $file;
+ use vars qw($entry @entry %entry);
+
+ local $Data::Dumper::Indent = 1;
+ local $Data::Dumper::Sortkeys = 1;
+
+ return if $^C; # just compile checking
+ return if $?; # return if the program died.
+
+ for my $ns (keys %namespace) {
+ $file = $namespace{$ns}{file};
+
+ next unless $namespace{$ns}{write};
+
+ unlink "$file.old";
+ rename "$file", "$file.old";
+ eval {
+ no strict 'refs';
+
+ my($key,$val);
+ local *RC;
+ open RC, ">:utf8", $file or die;
+ print RC "# data file for @{[$0 =~ m,.*/(.*),]} -*- Mode: perl -*-\n" or die;
+ print RC "# written @{[scalar localtime]}\n\n" or die;
+ print RC "package $ns;\n\n" or die;
+ print RC "use utf8;\n\n" or die;
+
+ while (($key,$val) = each %{$ns.'::'}) {
+ local(*entry) = $val;
+ if (defined $entry) {
+ #print RC Data::Dumper->Dump([$entry],["*$key"]) or die;
+ print RC Data::Dumper->Dump([$entry],['$'.$key]) or die;
+ }
+ if (defined @entry) {
+ print RC Data::Dumper->Dump([\@entry],["*$key"]) or die;
+ #print RC Data::Dumper->Dump([\@entry],['@'.$key]) or die;
+ }
+ if (defined %entry) {
+ print RC Data::Dumper->Dump([\%entry],["*$key"]) or die;
+ #print RC Data::Dumper->Dump([\%entry],[$key]) or die;
+ }
+ }
+ print RC "\n__"."PACKAGE"."__;\n" or die;
+ close RC or die;
+ };
+ if ($@) {
+ carp "Writing of $ns to $file failed:\n $@\n $!";
+ unlink $file;
+ link "$file.old", "$file";
+ }
+ }
+}
+
+1;
No changes.
No changes.
View
No changes.

0 comments on commit fc424fb

Please sign in to comment.