Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100755 111 lines (102 sloc) 2.837 kb
bdfd49b @mrash added snort_opts.pl
authored
1 #!/usr/bin/perl -w
2 #
3 ########################################################################
4 #
5 # File: snort_opts.pl
6 #
7 # Purpose: To parse snort rules and display a listing of snort fields
8 # along with how many snort rules in which each field is
9 # found.
10 #
11 ########################################################################
12 #
13
14 my %options = (
15 'flow' => 0,
3938eb7 @mrash added flowbits
authored
16 'flowbits' => 0,
bdfd49b @mrash added snort_opts.pl
authored
17 'msg' => 0,
18 'logto' => 0,
19 'ttl' => 0,
20 'tos' => 0,
21 'id' => 0,
22 'ipopts' => 0,
23 'fragbits' => 0,
24 'dsize' => 0,
25 'flags' => 0,
26 'seq' => 0,
27 'ack' => 0,
28 'itype' => 0,
29 'icode' => 0,
30 'icmp_id' => 0,
31 'icmp_seq' => 0,
32 'content' => 0,
33 'uricontent' => 0,
34 'content-list' => 0,
35 'offset' => 0,
36 'depth' => 0,
37 'nocase' => 0,
38 'session' => 0,
39 'rpc' => 0,
40 'resp' => 0,
41 'react' => 0,
42 'reference' => 0,
43 'sid' => 0,
44 'rev' => 0,
45 'classtype' => 0,
46 'priority' => 0,
47 'tag' => 0,
48 'ip_proto' => 0,
49 'sameip' => 0,
50 'stateless' => 0,
51 'regex' => 0,
52 'distance' => 0,
53 'within' => 0,
3938eb7 @mrash added flowbits
authored
54 'byte_jump' => 0,
55 'byte_test' => 0,
ddedf5d @mrash Added newer Snort keywords to snort_opts.pl
authored
56 'pcre' => 0,
57 'http_header' => 0,
58 'http_uri' => 0,
a8663fd @mrash Added three Snort signature keywords
authored
59 'urilen' => 0,
ddedf5d @mrash Added newer Snort keywords to snort_opts.pl
authored
60 'http_method' => 0,
61 'fast_pattern' => 0,
62 'metadata' => 0,
a8663fd @mrash Added three Snort signature keywords
authored
63 'threshold' => 0,
64 'detection_filter' => 0,
bdfd49b @mrash added snort_opts.pl
authored
65 );
66
ddedf5d @mrash Added newer Snort keywords to snort_opts.pl
authored
67 my $dir = 'deps/snort_rules';
bdfd49b @mrash added snort_opts.pl
authored
68 my $total_rules = 0;
69
ddedf5d @mrash Added newer Snort keywords to snort_opts.pl
authored
70 opendir D, $dir or die "[*] Could not open $dir: $!";
bdfd49b @mrash added snort_opts.pl
authored
71 my @rfiles = readdir D;
72 closedir D;
73
ddedf5d @mrash Added newer Snort keywords to snort_opts.pl
authored
74 print "[+] Calculating snort rule keyword percentages:\n";
bdfd49b @mrash added snort_opts.pl
authored
75 for my $rfile (@rfiles) {
76 next unless $rfile =~ /\.rules/;
77 open R, "< $dir/$rfile" or die $!;
78 my @lines = <R>;
79 close R;
80
81 for my $line (@lines) {
82 chomp $line;
83 next unless $line =~ /\S/;
84 next if $line =~ /^#/;
85 $total_rules++;
86 if ($line =~ /^\s*alert/) {
87 for my $opt (keys %options) {
88 if ($line =~ /\s$opt[:;]/) {
89 $options{$opt}++;
90 } elsif ($line =~ /\($opt[:;]/) {
91 $options{$opt}++;
92 } elsif ($line =~ /;$opt[:;]/) {
93 $options{$opt}++;
94 }
95 }
96 }
97 }
98 }
a8663fd @mrash Added three Snort signature keywords
authored
99
100 my $max_opt_len = 0;
101 for my $opt (keys %options) {
102 $max_opt_len = length($opt) if length($opt) > $max_opt_len;
103 }
104
bdfd49b @mrash added snort_opts.pl
authored
105 for my $opt (sort {$options{$b} <=> $options{$a}} keys %options) {
a8663fd @mrash Added three Snort signature keywords
authored
106 printf("%${max_opt_len}s %13s", $opt, "$options{$opt}/$total_rules ");
bdfd49b @mrash added snort_opts.pl
authored
107 print sprintf("%.1f", $options{$opt} / $total_rules * 100) . "%\n";
108 }
109
110 exit 0;
Something went wrong with that request. Please try again.