Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

added various unrecognized snort rule options

  • Loading branch information...
commit f08b09a5d6f3da23f20cc86209a77d6ca46a2602 1 parent 897e429
Michael Rash authored
Showing with 27 additions and 0 deletions.
  1. +27 −0 snort_opts.pl
27 snort_opts.pl
View
@@ -35,6 +35,8 @@
'offset' => 0,
'depth' => 0,
'nocase' => 0,
+ 'file_data' => 0,
+ 'rawbytes' => 0,
'session' => 0,
'rpc' => 0,
'resp' => 0,
@@ -47,23 +49,37 @@
'tag' => 0,
'ip_proto' => 0,
'sameip' => 0,
+ 'asn1' => 0,
'stateless' => 0,
'regex' => 0,
+ 'window' => 0,
+ 'isdataat' => 0,
'distance' => 0,
'within' => 0,
'byte_jump' => 0,
'byte_test' => 0,
+ 'byte_extract' => 0,
'pcre' => 0,
+ 'ftpbounce' => 0,
+ 'base64_data' => 0,
+ 'base64_decode' => 0,
'http_header' => 0,
+ 'http_cookie' => 0,
'http_uri' => 0,
+ 'http_raw_uri' => 0,
'urilen' => 0,
'http_method' => 0,
+ 'http_stat_code' => 0,
+ 'http_stat_msg' => 0,
+ 'http_client_body' => 0,
'fast_pattern' => 0,
'metadata' => 0,
'threshold' => 0,
'detection_filter' => 0,
);
+my %unrecognized = ();
+
my $dir = 'deps/snort_rules';
my $total_rules = 0;
@@ -93,6 +109,12 @@
$options{$opt}++;
}
}
+ while ($line =~ m/[\s;](\w+)[:;]/g) {
+ next if $1 =~ /^\d+$/;
+ unless (defined $options{$1}) {
+ $unrecognized{$1}++;
+ }
+ }
}
}
}
@@ -107,4 +129,9 @@
print sprintf("%.1f", $options{$opt} / $total_rules * 100) . "%\n";
}
+print "\n[-] Potentially unrecognized options:\n";
+for my $opt (keys %unrecognized) {
+ print " $opt\n";
+}
+
exit 0;
Please sign in to comment.
Something went wrong with that request. Please try again.