代码拉取完成,页面将自动刷新
#!/usr/bin/env perl
## pulledpork v(whatever it says below!)
# Copyright (C) 2009-2021 JJ Cummings, Michael Shirk and the PulledPork Team!
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
use strict;
use warnings;
use File::Copy;
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Status qw (is_success);
#use Crypt::SSLeay;
use Sys::Syslog;
use Digest::MD5;
use File::Path;
use File::Find;
use File::Basename;
use Getopt::Long qw(:config no_ignore_case bundling);
use Archive::Tar;
use POSIX qw(:errno_h);
use Cwd;
use Carp;
use Data::Dumper;
### Vars here
# we are gonna need these!
my ($oinkcode, $temp_path, $rule_file, $Syslogging);
my $VERSION = "0.8.0";
my $HUMOR = "The only positive thing to come out of 2020...well this and take-out liquor!";
my $ua = LWP::UserAgent->new;
#Read in proxy settings from the environment
$ua->env_proxy;
#Add PulledPork version to the user agent
$ua->agent("PulledPork v$VERSION");
# for certificate validation, check for the operating system
# and set the path to the certificate store if required.
my $oSystem = "$^O";
my $CAFile = "OS Default";
if ($oSystem =~ /freebsd/i) {
#Check to ensure the cert file exists
if (-e "/etc/ssl/cert.pem") {
$CAFile = "/etc/ssl/cert.pem";
if (-r $CAFile) {
$ua->ssl_opts(SSL_ca_file => $CAFile);
}
else {
carp "ERROR: $CAFile is not readable by "
. (getpwuid($<))[0] . "\n";
syslogit('err|local0',
"FATAL: ERROR: $CAFile is not readable by "
. (getpwuid($<))[0] . "\n")
if $Syslogging;
exit(1);
}
#Check for the other location for the cert file
}
elsif (-e "/usr/local/etc/ssl/cert.pem") {
$CAFile = "/usr/local/etc/ssl/cert.pem";
if (-r $CAFile) {
$ua->ssl_opts(SSL_ca_file => $CAFile);
}
else {
carp "ERROR: $CAFile is not readable by "
. (getpwuid($<))[0] . "\n";
syslogit('err|local0',
"FATAL: ERROR: $CAFile is not readable by "
. (getpwuid($<))[0] . "\n")
if $Syslogging;
exit(1);
}
}
else {
carp
"ERROR: cert file does not exist (/etc/ssl/cert.pem or /usr/local/etc/ssl/cert.pem) Ensure that the ca_root_nss port/pkg is installed, or use -w to skip SSL verification\n";
syslogit('err|local0',
"FATAL: cert file does not exist. Ensure that the ca_root_nss port/pkg is installed, or use -w to skip SSL verification\n"
) if $Syslogging;
exit(1);
}
}
my ($Hash, $ALogger, $Config_file, $Sorules, $Auto);
my ($Output, $Distro, $Snort, $sid_changelog, $ignore_files);
my ($Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy,);
my ($pid_path, $SigName, $NoDownload, $sid_msg_map, @base_url);
my ($local_rules, $arch, @records, $enonly);
my ($rstate, $keep_rulefiles, $rule_file_path, $prefix, $block_list);
my ($Process, $hmatch, $bmatch, $sid_msg_version, $skip_verify,
$proxy_workaround);
my $Sostubs = 1;
my $Snortv3 = 0;
# verbose and quiet control print()
# default values if not set otherwise in getopt
# $Verbose = 0 is normal output (default behaviour)
# $Verbose = 1 is loud output
# $Verbose = 2 is troubleshooting output
# $Quiet = 0 leaves verbosity as default or otherwise set
# $Quiet = 1 suppresses all but FAIL messages, eg, anything preceding an exit
my $Verbose = 0;
my $Quiet = 0;
undef($Hash);
undef($ALogger);
my %rules_hash = ();
my %blocklist = ();
my %oldrules_hash = ();
my %sid_msg_map = ();
my %sidmod = ();
my $categories = ();
undef %rules_hash;
undef %oldrules_hash;
undef %sid_msg_map;
## initialize some vars
my $rule_digest = "";
my $md5 = "";
# Vars the subroutine to fetch config values
my ($Config_key);
my %Config_info = ();
### Subroutines here
## routine to grab our config from the defined config file
sub parse_config_file {
my ($FileConf, $Config_val) = @_;
my ($config_line, $Name, $Value);
if (!open(CONFIG, "$FileConf")) {
carp "ERROR: Config file not found : $FileConf\n";
syslogit('err|local0', "FATAL: Config file not found: $FileConf")
if $Syslogging;
exit(1);
}
open(CONFIG, "$FileConf");
while (<CONFIG>) {
$config_line = $_;
chomp($config_line);
$config_line = trim($config_line);
if (($config_line !~ /^#/) && ($config_line ne "")) {
($Name, $Value) = split(/=/, $config_line);
if ($Value =~ /,/ && $Name eq "rule_url") {
push(@{ $$Config_val{$Name} }, split(/,/, $Value));
}
elsif ($Name eq "rule_url") {
push(@{ $$Config_val{$Name} }, split(/,/, $Value))
if $Value;
}
else {
$$Config_val{$Name} = $Value;
}
}
}
close(CONFIG);
}
## Help routine.. display help to stdout then exit
sub Help {
my $msg = shift;
if ($msg) { print "\nERROR: $msg\n"; }
print <<__EOT;
Usage: $0 [-dEgklnRTPVvv? -help] -c <config filename> -o <rule output path>
-O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer>
-p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path>
-h <changelog path> -H <signal_name> -I (security|connectivity|balanced) -i <path to disablesid.conf>
-b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf>
Options:
-help/? Print this help info.
-b Where the dropsid config file lives.
-C Path to your snort.conf
-c Where the pulledpork config file lives.
-d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.
-D What Distro are you running on, for the so_rules
For latest supported options see http://www.snort.org/snort-rules/shared-object-rules
Valid Distro Types:
Alpine-3-10
Centos-6, Centos-7, Centos-8
Debian-8, Debian-9, Debian-10
FC-27, FC-30
FreeBSD-11, FreeBSD-12
OpenBSD-6-2, OpenBSD-6-4, OpenBSD-6-5
OpenSUSE-15-0, OpenSUS-15-1, OpenSUSE-42-3
RHEL-6, RHEL-7, RHEL-8
Slackware-14-2
Ubuntu-14-4, Ubuntu-16-4, Ubuntu-17-10, Ubuntu-18-4
-e Where the enablesid config file lives.
-E Write ONLY the enabled rules to the output files.
-g grabonly (download tarball rule file(s) and do NOT process)
-h path to the sid_changelog if you want to keep one?
-H Send signal_name to the pids listed in the config file (SIGHUP or SIGUSR2)
-I Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)
-i Where the disablesid config file lives.
-k Keep the rules in separate files (using same file names as found when reading)
-K Where (what directory) do you want me to put the separate rules files?
-l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)
-L Where do you want me to read your local.rules for inclusion in sid-msg.map
-m where do you want me to put the sid-msg.map file?
-M where the modifysid config file lives.
-n Do everything other than download of new files (disablesid, etc)
-o Where do you want me to put generic rules file?
-O Define the oinkcode on the command line (necessary for some users)
-p Path to your Snort binary
-P Process rules even if no new rules were downloaded
-R When processing enablesid, return the rules to their ORIGINAL state
-S What version of snort are you using (2.8.6 or 2.9.0) are valid values
-s Where do you want me to put the so_rules?
-T Process text based rules files only, i.e. DO NOT process so_rules
-u Where do you want me to pull the rules tarball from
** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas
-V Print Version and exit
-v Verbose mode, you know.. for troubleshooting and such nonsense.
-vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.
-w Skip the SSL verification (if there are issues pulling down rule files)
-W Where you want to work around the issue where some implementations of LWP do not work with pulledpork's proxy configuration.
__EOT
exit(0);
}
## OMG We MUST HAVE FLYING PIGS!
sub pulledpork {
print <<__EOT;
https://github.com/shirkdog/pulledpork
_____ ____
`----,\\ )
`--==\\\\ / PulledPork v$VERSION - $HUMOR
`--==\\\\/
.-~~~~-.Y|\\\\_ Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
\@_/ / 66\\_ and the PulledPork Team!
| \\ \\ _(\")
\\ /-| ||'--' Rules give me wings!
\\_\\ \\_\\\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__EOT
}
## subroutine to cleanup the temp rubbish!!!
sub temp_cleanup {
my $remove = rmtree($temp_path . "tha_rules");
if ($Verbose && !$Quiet) {
print "Cleanup....\n";
print
"\tremoved $remove temporary snort files or directories from $temp_path"
. "tha_rules!\n";
}
}
# subroutine to extract the files to a temp path so that we can do what we need to do..
sub rule_extract {
my ($rule_file, $temp_path, $Distro, $arch, $Snort,
$Sorules, $ignore, $prefix, $Snortv3)
= @_;
#special case to bypass file operations when -nPT are specified
my $BypassTar = 0;
if (!$BypassTar) {
print "Prepping rules from $rule_file for work....\n" if !$Quiet;
print "\textracting contents of $temp_path$rule_file...\n"
if ($Verbose && !$Quiet);
}
mkpath($temp_path . "tha_rules");
mkpath($temp_path . "tha_rules/so_rules");
my $tar = Archive::Tar->new();
if (!$BypassTar) {
$tar->read($temp_path . $rule_file);
$tar->setcwd(cwd());
}
local $Archive::Tar::CHOWN = 0;
my @ignores = split(/,/, $ignore) if (defined $ignore);
foreach (@ignores) {
if ($_ =~ /\.rules/) {
print "\tIgnoring plaintext rules: $_\n" if ($Verbose && !$Quiet);
$tar->remove("rules/$_");
}
elsif ($_ =~ /\.preproc/) {
print "\tIgnoring preprocessor rules: $_\n"
if ($Verbose && !$Quiet);
my $preprocfile = $_;
$preprocfile =~ s/\.preproc/\.rules/;
$tar->remove("preproc_rules/$preprocfile");
}
elsif ($_ =~ /\.so/) {
print "\tIgnoring shared object rules: $_\n"
if ($Verbose && !$Quiet);
$tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_");
}
else {
print "\tIgnoring all rule types in $_ category!\n"
if ($Verbose && !$Quiet);
$tar->remove("rules/$_.rules");
$tar->remove("preproc_rules/$_.rules");
$tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_");
}
}
my $sofile_pat_base = "^so_rules\/precompiled\/";
if ($Snortv3 == 0) {
$sofile_pat_base = $sofile_pat_base . "($Distro)\/($arch)\/($Snort)\/";
}
else {
$sofile_pat_base = $sofile_pat_base . "($Distro)-($arch)\/";
}
my $sofile_pat = $sofile_pat_base . ".*\.so";
my @files = $tar->get_files();
foreach (@files) {
my $filename = $_->name;
my $singlefile = $filename;
if ($filename =~ /^(community-)?rules\/.*\.rules$/) {
$singlefile =~ s/^(community-)?rules\///;
$tar->extract_file($filename,
$temp_path . "/tha_rules/$prefix" . $singlefile);
print "\tExtracted: /tha_rules/$prefix$singlefile\n"
if ($Verbose && !$Quiet);
}
elsif ($filename =~ /^preproc_rules\/.*\.rules$/) {
$singlefile =~ s/^preproc_rules\///;
$tar->extract_file($filename,
$temp_path . "/tha_rules/$prefix" . $singlefile);
print "\tExtracted: /tha_rules/$prefix$singlefile\n"
if ($Verbose && !$Quiet);
}
elsif ($Sorules
&& $filename
=~ m/$sofile_pat/
&& -d $Sorules
&& !$Textonly)
{
$singlefile
=~ s/$sofile_pat_base//;
$tar->extract_file($filename, $Sorules . $singlefile);
print "\tExtracted: $Sorules$singlefile\n"
if ($Verbose && !$Quiet);
}
}
print "\tDone!\n" if (!$Verbose && !$Quiet);
}
## subroutine to actually check the md5 values, if they match we move onto file manipulation routines
sub compare_md5 {
my (
$oinkcode, $rule_file, $temp_path, $Hash,
$base_url, $md5, $rule_digest, $Distro,
$arch, $Snort, $Sorules, $ignore_files,
$prefix, $Process, $hmatch, $fref
) = @_;
if ($rule_digest =~ $md5 && !$Hash) {
if ($Verbose && !$Quiet) {
print "\tThe MD5 for $rule_file matched $md5\n\n";
}
if (!$Verbose && !$Quiet) { print "\tThey Match\n\tDone!\n"; }
return (1);
}
elsif ($rule_digest !~ $md5 && !$Hash) {
if ($Verbose && !$Quiet) {
print
"\tThe MD5 for $rule_file did not match the latest digest... so I am gonna fetch the latest rules file!\n";
}
if (!$Verbose && !$Quiet) { print "\tNo Match\n\tDone\n"; }
rulefetch($oinkcode, $rule_file, $temp_path, $base_url);
$rule_digest = md5sum($rule_file, $temp_path);
$fref->{EXTRACT} = 1 if !$grabonly;
return (
compare_md5(
$oinkcode, $rule_file, $temp_path, $Hash,
$base_url, $md5, $rule_digest, $Distro,
$arch, $Snort, $Sorules, $ignore_files,
$prefix, $Process, $hmatch, $fref
)
);
}
elsif ($Hash) {
if ($Verbose && !$Quiet) {
print
"\tOk, not verifying the digest.. lame, but that's what you specified!\n";
print
"\tSo if the rules tarball doesn't extract properly and this script croaks.. it's your fault!\n";
print "\tNo Verify Set\n\tDone!\n";
}
$fref->{EXTRACT} = 1 if !$grabonly;
return (1);
}
else {
return ($hmatch);
}
}
sub _get_ua_request {
my ($ua, $method, $url, $file) = @_;
my $request = HTTP::Request->new($method => $url);
my $response = $ua->request($request, $file);
if ($response->is_success) {
return $response->code;
}
# TODO: 4XX catching
my $msg = sprintf("Error downloading %s: %s [ %d ]",
$url, $response->status_line, $response->code);
syslogit('err|local0', $msg) if $Syslogging;
die $msg, $/;
}
## mimic LWP::Simple getstore routine - Thx pkthound!
sub getstore {
my ($url, $file) = @_;
my $method = "GET";
#Workaround proxy issues, depends on version of LWP
#May need to be addressed in the future
if ($ua->proxy("https") && $url =~ /^https:/ && !$proxy_workaround) {
$method = "CONNECT";
}
else {
$method = "GET";
}
# on the first run, the file may not exist, so check.
if (-e $file) {
# Check to ensure the user has write access to the file
if (-r $file && -w _) {
return _get_ua_request($ua, $method, $url, $file);
}
else {
carp "ERROR: $file is not writable by "
. (getpwuid($<))[0] . "\n";
syslogit('err|local0',
"FATAL: $file is not writable by " . (getpwuid($<))[0] . "\n")
if $Syslogging;
exit(1);
}
}
else {
return _get_ua_request($ua, $method, $url, $file);
}
}
## time to grab the real 0xb33f
sub rulefetch {
my ($oinkcode, $rule_file, $temp_path, $base_url) = @_;
print "Rules tarball download of $rule_file....\n"
if (!$Quiet
&& $rule_file !~ /IPBLOCKLIST/
&& $oinkcode !~ /RULEFILE/);
print "Rule file download of $rule_file....\n"
if (!$Quiet
&& $rule_file !~ /IPBLOCKLIST/
&& $oinkcode =~ /RULEFILE/);
print "IP Blocklist download of $base_url....\n"
if (!$Quiet
&& $rule_file =~ /IPBLOCKLIST/
&& $oinkcode !~ /RULEFILE/);
$base_url = slash(0, $base_url);
my ($getrules_rule);
if ($Verbose && !$Quiet) {
print "\tFetching rules file: $rule_file\n"
if ($rule_file !~ /IPBLOCKLIST/ && $oinkcode !~ /RULEFILE/);
if ($Hash && $rule_file !~ /IPBLOCKLIST/ && $oinkcode !~ /RULEFILE/) {
print "But not verifying MD5\n";
}
}
if ($base_url =~ /[^labs]\.snort\.org/i) {
$getrules_rule
= getstore(
"https://www.snort.org/rules/$rule_file\?oinkcode=$oinkcode",
$temp_path . $rule_file);
}
elsif ($rule_file =~ /IPBLOCKLIST/ && !$NoDownload) {
my $rand = rand(1000);
$getrules_rule
= getstore($base_url, $temp_path . "$rand-block_list.rules");
read_iplist(\%blocklist, $temp_path . "$rand-block_list.rules");
unlink($temp_path . "$rand-block_list.rules");
}
elsif ($oinkcode =~ /RULEFILE/ && !$NoDownload) {
my $rand = rand(1000);
mkpath($temp_path . "/tha_rules");
$getrules_rule = getstore($base_url . "/" . $rule_file,
$temp_path . "/tha_rules/" . $rule_file);
}
else {
$getrules_rule
= getstore($base_url . "/" . $rule_file, $temp_path . $rule_file);
}
if ($getrules_rule == 403) {
print
"\tA 403 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n",
"\tYou may also wish to verify your oinkcode, tarball name, and other configuration options\n";
syslogit('emerg|local0', "FATAL: 403 error occured") if $Syslogging;
exit(1); # For you shirkdog
}
elsif ($getrules_rule == 404) {
print
"\tA 404 error occurred, please verify your filenames and urls for your tarball!\n";
syslogit('emerg|local0', "FATAL: 404 error occured") if $Syslogging;
exit(1); # For you shirkdog
}
elsif ($getrules_rule == 500) {
print
"\tA 500 error occurred, please verify that you have recently updated your root certificates!\n";
syslogit('emerg|local0', "FATAL: 500 error occured") if $Syslogging;
exit(1); # Certs bitches!
}
unless (is_success($getrules_rule)) {
syslogit('emerg|local0',
"FATAL: Error $getrules_rule when fetching $rule_file")
if $Syslogging;
croak "\tError $getrules_rule when fetching " . $rule_file;
}
if ($Verbose && !$Quiet && $rule_file !~ /IPBLOCKLIST/) {
print("\tstoring file at: $temp_path$rule_file\n\n");
}
if (!$Verbose && !$Quiet) { "\tDone!\n"; }
}
## subroutine to deterine the md5 digest of the current rules file
sub md5sum {
my ($rule_file, $temp_path) = @_;
open(MD5FILE, "$temp_path$rule_file")
or croak $!;
binmode(MD5FILE);
$rule_digest = Digest::MD5->new->addfile(*MD5FILE)->hexdigest;
close(MD5FILE);
if ($@) {
print $@;
return "";
}
if ($Verbose && !$Quiet) {
print "\tcurrent local rules file digest: $rule_digest\n";
}
return $rule_digest;
}
## subroutine to fetch the latest md5 digest signature file from snort.org
sub md5file {
my ($oinkcode, $rule_file, $temp_path, $base_url) = @_;
my ($getrules_md5, $md5) = "";
$base_url = slash(0, $base_url);
print "Checking latest MD5 for $rule_file....\n" if !$Quiet;
print "\tFetching md5sum for: " . $rule_file . ".md5\n"
if ($Verbose && !$Quiet);
if ($base_url =~ /[^labs]\.snort\.org/i) {
$getrules_md5 = getstore(
"https://www.snort.org/rules/$rule_file.md5\?oinkcode=$oinkcode",
$temp_path . $rule_file . ".md5"
);
}
elsif ($base_url
=~ /(secureworks|emergingthreats\.net|emergingthreatspro\.com|snort\.org.+community)/i
)
{
$getrules_md5 = getstore(
"$base_url/$rule_file" . ".md5",
$temp_path . $rule_file . ".md5"
);
}
if ($getrules_md5 == 403) {
print
"\tA 403 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n",
"\tYou may also wish to verify your oinkcode, tarball name, and other configuration options\n";
}
elsif ($getrules_md5 == 429) {
print
"\tA 429 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n",
"\tYou may also wish to verify your oinkcode, tarball name, and other configuration options\n";
}
elsif ($getrules_md5 == 404) {
print
"\tA 404 error occurred, please verify your filenames and urls for your tarball!\n";
}
open(FILE, "$temp_path$rule_file.md5")
or warn $!;
$md5 = <FILE>;
chomp($md5);
close(FILE);
$md5 =~ /\w{32}/
; ## Lets just grab the hash out of the string.. don't care about the rest!
$md5 = $&;
if ($Verbose && !$Quiet) {
print "\tmost recent rules file digest: $md5\n";
}
return $md5;
}
## This sub allows for ip-reputation list de-duplication and processing:
sub read_iplist {
my ($href, $path) = @_;
print "\t" if ($Verbose && !$Quiet);
print "Reading IP List...\n" if !$Quiet;
open(FH, '<', $path) || croak "Couldn't read $path - $!\n";
while (<FH>) {
chomp();
# we only want valid IP addresses, otherwise shiz melts!
next
unless $_
=~ /(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/;
$_ = trim($_);
$_ =~ s/,*//;
$href->{$_} = 1;
}
close(FH);
}
## This replaces the copy_rules routine and allows for in-memory processing
# of disablesid, enablesid, dropsid and other sid functions.. here we place
# all of the rules values into a hash as {$gid}{$sid}=$rule
sub read_rules {
my ($hashref, $path, $extra_rules) = @_;
my ($file, $sid, $gid, @elements);
print "\t" if ($Verbose && !$Quiet);
print "Reading rules...\n" if !$Quiet;
my $reading_old_rules = $path eq ($rule_file_path || '');
my @local_rules = split(/,/, $extra_rules);
foreach (@local_rules)
{ #First let's read our local rules and assign a gid of 0
$extra_rules = slash(0, $_);
$file = basename($extra_rules);
if ($extra_rules && -f $extra_rules) {
open(DATA, "$extra_rules")
|| croak "Couldn't read $extra_rules - $!\n";
my @extra_raw = <DATA>;
close(DATA);
my $trk = 0;
my $record;
foreach my $row (@extra_raw) {
$row = trim($row);
chomp($row);
if ($row =~ /^\s*#*\s*(alert|drop|pass)/i || $trk == 1) {
if (($row !~ /^#/) && ($row ne "")) {
if ($row =~ /\\$/) { # handle multiline rules here
$row =~ s/\\$//;
$record .= $row;
$trk = 1;
}
elsif ($row !~ /\\$/ && $trk == 1)
{ # last line of multiline rule here
$record .= $row;
if ($record =~ /\ssid:\s*\d+\s*;/i) {
$sid = $&;
$sid =~ s/\ssid:\s*//;
$sid =~ s/\s*;//;
$$hashref{0}{ trim($sid) }{'rule'} = $record;
}
$trk = 0;
undef $record;
}
else {
if ($row =~ /\ssid:\s*\d+\s*;/i) {
$sid = $&;
$sid =~ s/\ssid:\s*//;
$sid =~ s/\s*;//;
$$hashref{0}{ trim($sid) }{'rule'} = $row;
}
$trk = 0;
}
if ($trk == 0) {
$sid = trim($sid);
my $rule = $$hashref{0}{$sid}{'rule'};
if ($rule =~ /^\s*\#+/) {
$$hashref{0}{$sid}{'state'} = 0;
}
elsif ($rule =~ /^\s*(alert|pass|drop)/) {
$$hashref{0}{$sid}{'state'} = 1;
}
$file =~ s/\.rules//;
$$hashref{0}{$sid}{'category'} = $file;
$categories->{$file}{0}{$sid} = 1;
}
}
}
}
undef @extra_raw;
}
}
if (-d $path) {
opendir(DIR, "$path");
while (defined($file = readdir DIR)) {
my $fullpath = $path.$file;
if (grep /^$fullpath$/, @local_rules) {
next;
}
else {
open(DATA, "$fullpath");
@elements = <DATA>;
close(DATA);
}
foreach my $rule (@elements) {
chomp($rule);
$rule = trim($rule);
if ($rule =~ /^\s*#*\s*(alert|drop|pass)/i) {
if ($rule =~ /\ssid:\s*\d+\s*;/i) {
$sid = $&;
$sid =~ s/\ssid:\s*//;
$sid =~ s/\s*;//;
if ($rule =~ /\sgid:\s*\d+/i) {
$gid = $&;
$gid =~ s/\sgid:\s*//;
}
else { $gid = 1; }
if ($rule =~ /flowbits:\s*((un)?set(x)?|toggle)/i) {
# There is a much cleaner way to do this, I just don't have the time to do it right now!
my ($header, $options)
= split(/^[^"]* \(/, $rule);
my @optarray = split(/(?<!\\);(\t|\s)*/, $options)
if $options;
foreach my $option (reverse(@optarray)) {
my ($kw, $arg) = split(/:/, $option)
if $option;
next
unless ($kw && $arg && $kw eq "flowbits");
my ($flowact, $flowbit) = split(/,/, $arg);
next
unless $flowact
=~ /^\s*((un)?set(x)?|toggle)/i;
$$hashref{ trim($gid) }{ trim($sid) }
{ trim($flowbit) } = 1;
}
}
if ($rule =~ /^\s*\#+/) {
$$hashref{ trim($gid) }{ trim($sid) }{'state'}
= 0;
}
elsif ($rule =~ /^\s*(alert|pass|drop)/) {
$$hashref{ trim($gid) }{ trim($sid) }{'state'}
= 1;
}
$file =~ s/\.rules//;
$file = "VRT-SO-$file"
if ($gid == 3 && $file !~ /VRT-SO/);
$$hashref{ trim($gid) }{ trim($sid) }{'rule'} = $rule;
$$hashref{ trim($gid) }{ trim($sid) }{'category'}
= $file;
next if $reading_old_rules;
$categories->{$file}{ trim($gid) }{ trim($sid) } = 1;
}
}
}
}
close(DIR);
}
elsif (-f $path) {
open(DATA, "$path") || croak "Couldn't read $path - $!";
@elements = <DATA>;
close(DATA);
foreach my $rule (@elements) {
if ($rule =~ /^\s*#*\s*(alert|drop|pass)/i) {
if ($rule =~ /\ssid:\s*\d+/) {
$sid = $&;
$sid =~ s/\ssid:\s*//;
if ($rule =~ /\sgid:\s*\d+/i) {
$gid = $&;
$gid =~ s/\sgid:\s*//;
}
else { $gid = 1; }
if ($rule =~ /flowbits:\s*((un)?set(x)?|toggle)/) {
my ($header, $options) = split(/^[^"]* \(/, $rule);
# There is a much cleaner way to do this, I just don't have the time to do it right now!
my @optarray = split(/(?<!\\);(\t|\s)*/, $options)
if $options;
foreach my $option (reverse(@optarray)) {
my ($kw, $arg) = split(/:/, $option) if $option;
next unless ($kw && $arg && $kw eq "flowbits");
my ($flowact, $flowbit) = split(/,/, $arg);
next
unless $flowact
=~ /^\s*((un)?set(x)?|toggle)/i;
$$hashref{ trim($gid) }{ trim($sid) }
{ trim($flowbit) } = 1;
}
}
$$hashref{ trim($gid) }{ trim($sid) }{'rule'} = $rule;
}
}
}
}
undef @elements;
}
## sub to generate stub files using the snort --dump-dynamic-rules option
sub gen_stubs {
my ($Snort_path, $Snort_config, $Sostubs, $Snortv3, $Sorules) = @_;
print "Generating Stub Rules....\n" if !$Quiet;
unless (-B $Snort_path) {
Help("$Snort_path is not a valid binary file");
}
if (-d $Sostubs && -B $Snort_path && -f $Snort_config) {
my $cmd = "";
if ($Snortv3) {
$cmd = "$Snort_path -c $Snort_config --plugin-path $Sorules --dump-dynamic-rules > $Sostubs/allso.rules";
}
else {
$cmd = "$Snort_path -c $Snort_config --dump-dynamic-rules=$Sostubs"
}
if ($Verbose && !$Quiet) {
print(
"\tGenerating shared object stubs via: $cmd\n"
);
}
if (!$Snortv3) {
open(FH, "$cmd 2>&1|");
} else {
open(FH, "|-", "$cmd");
}
while (<FH>) {
print "\t$_" if $_ =~ /Dumping/i && ($Verbose && !$Quiet);
next unless $_ =~ /(err|warn|fail)/i;
syslogit('warning|local0', "FATAL: An error occured: $_")
if $Syslogging;
print "\tAn error occurred: $_\n";
# Yes, this is lame error reporting to stdout ...
}
close(FH);
}
else {
print(
"Something failed in the gen_stubs sub, please verify your shared object config!\n"
);
if ($Verbose && !$Quiet) {
unless (-d $Sostubs) {
Help(
"The path that you specified: $Sostubs does not exist! Please verify your configuration.\n"
);
}
unless (-f $Snort_path) {
Help(
"The file that you specified: $Snort_path does not exist! Please verify your configuration.\n"
);
}
unless (-f $Snort_config) {
Help(
"The file that you specified: $Snort_config does not exist! Please verify your configuration.\n"
);
}
}
}
print "\tDone\n" if !$Quiet;
}
sub vrt_policy {
my ($ids_policy, $rule) = @_;
my ($gid, $sid);
if ($rule =~ /policy\s$ids_policy/i && $rule !~ /flowbits\s*:\s*noalert/i)
{
$rule =~ s/^#*\s*//;
}
elsif ($rule !~ /^\s*#/) {
$rule = "# $rule";
}
return $rule;
}
sub policy_set {
my ($ids_policy, $hashref) = @_;
if ($hashref) {
if ($ids_policy ne "Disabled" && $ids_policy ne "") {
print "Activating $ids_policy rulesets....\n" if !$Quiet;
foreach my $k (sort keys %$hashref) {
foreach my $k2 (keys %{ $$hashref{$k} }) {
$$hashref{$k}{$k2}{'rule'}
= vrt_policy($ids_policy, $$hashref{$k}{$k2}{'rule'});
}
}
print "\tDone\n" if !$Quiet;
}
}
}
## this allows the user to use regular expressions to modify rule contents
sub modify_sid {
my ($href, $file) = @_;
my @arry;
print "Modifying Sids....\n" if !$Quiet;
open(FH, "<$file") || carp "Unable to open $file\n";
while (<FH>) {
next if (($_ =~ /^\s*#/) || ($_ eq " "));
if ($_ =~ /([(\d+)?\d+|,|\*]*)\s+"(.+)"\s+"(.*)"/) {
my ($ruleids, $from, $to) = ($1, $2, $3);
@arry = split(/,/, $ruleids) if $ruleids !~ /\*/;
@arry = "*" if $ruleids =~ /\*/;
foreach my $ruleid (@arry) {
$ruleid = trim($ruleid);
my @rule_comp;
@rule_comp = split(/-/, $ruleid, 2);
my $sid = pop @rule_comp;
my $gid = pop @rule_comp;
if (not defined $gid) {
$gid = 1;
}
if ($sid ne "*" && safe_defined($href, $gid, $sid, 'rule')) {
print "\tModifying GID:$gid,SID:$sid from:$from to:$to\n"
if ($Verbose && !$Quiet);
$$href{$gid}{$sid}{'rule'} =~ s/$from/$to/;
}
elsif ($sid eq "*") {
print
"\tModifying ALL SIDS for GID:$gid from:$from to:$to\n"
if ($Verbose && !$Quiet);
foreach my $k (sort keys %{ $$href{$gid} }) {
$$href{$gid}{$k}{'rule'} =~ s/$from/$to/;
}
}
}
undef @arry;
}
# Handle use case where we want to modify multiple sids based on
# comment in rule (think multiple rules with same or similar comment)
if ($_ =~ /^regex:'([^']+)'\s+"(.+)"\s+"(.*)"/) {
my ($regex, $from, $to) = ($1, $2, $3);
# Go through each rule in gid:1 and look for matching rules
foreach my $sid (sort keys(%{ $$href{1} })) {
next unless ($$href{1}{$sid}{'rule'} =~ /$regex/);
print "\tModifying SID:$sid from:$from to:$to\n"
if ($Verbose && !$Quiet);
$$href{1}{$sid}{'rule'} =~ s/$from/$to/;
}
}
}
print "\tDone!\n" if !$Quiet;
close(FH);
}
## this relaces the enablesid, disablesid and dropsid functions..
# speed ftw!
sub modify_state {
my ($function, $SID_conf, $hashref, $rstate) = @_;
my (@sid_mod, $sidlist);
print "Processing $SID_conf....\n" if !$Quiet;
print "\tSetting rules specified in $SID_conf to their default state!\n"
if (!$Quiet && $function eq 'enable' && $rstate);
if (-f $SID_conf) {
open(DATA, "$SID_conf") or carp "unable to open $SID_conf $!";
while (<DATA>) {
next unless ($_ !~ /^\s*#/ && $_ ne "");
$sidlist = (split '#', $_)[0];
chomp($sidlist);
$sidlist = trim($sidlist);
if (!@sid_mod) {
@sid_mod = split(/,/, $sidlist);
}
elsif (@sid_mod) {
push(@sid_mod, split(/,/, $sidlist));
}
}
close(DATA);
if ($hashref) {
my $sidcount = 0;
my $skipcount = 0;
foreach (@sid_mod) {
# ranges
if ($_ =~ /^(\d+):\d+-\1:\d+/) {
my ($lsid, $usid) = split(/-/, $&);
my $gid = $lsid;
$sid_mod[$sidcount] = $lsid;
$gid =~ s/:\d+//;
$lsid =~ s/\d+://;
$usid =~ s/\d+://;
while ($lsid < $usid) {
$lsid++;
push(@sid_mod, $gid . ':' . $lsid);
}
}
# pcres
elsif ($_ =~ /^pcre\:.+/i) {
my ($pcre, $regex) = split(/\:/, $&);
foreach my $k1 (keys %$hashref) {
foreach my $k2 (keys %{ $$hashref{$k1} }) {
next unless defined $$hashref{$k1}{$k2}{'rule'};
$sid_mod[$sidcount] = $k1 . ":" . $k2
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/)
);
push(@sid_mod, $k1 . ":" . $k2)
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /\d+:\d+/));
}
}
}
# specific sid
elsif ($_ =~ /^[a-xA-X]+\:.+/) {
my $regex = $&;
$regex =~ s/\:/,/;
foreach my $k1 (keys %$hashref) {
foreach my $k2 (keys %{ $$hashref{$k1} }) {
next unless defined $$hashref{$k1}{$k2}{'rule'};
$sid_mod[$sidcount] = $k1 . ":" . $k2
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/)
);
push(@sid_mod, $k1 . ":" . $k2)
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /\d+:\d+/));
}
}
}
# MS reference
elsif ($_ =~ /^MS\d+-.+/i) {
my $regex = $&;
foreach my $k1 (keys %$hashref) {
foreach my $k2 (keys %{ $$hashref{$k1} }) {
next unless defined $$hashref{$k1}{$k2}{'rule'};
$sid_mod[$sidcount] = $k1 . ":" . $k2
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/)
);
push(@sid_mod, $k1 . ":" . $k2)
if (
($$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i)
&& ($sid_mod[$sidcount] =~ /\d+:\d+/));
}
}
}
# Category
elsif ($_ =~ /[a-xA-X]+(-|\w)*/) {
my $category = $&;
foreach my $k1 (keys %$hashref) {
foreach my $k2 (keys %{ $$hashref{$k1} }) {
next
unless
defined $$hashref{$k1}{$k2}{'category'};
next
unless $$hashref{$k1}{$k2}{'category'}
=~ /($category)/;
$sid_mod[$sidcount] = $k1 . ":" . $k2;
push(@sid_mod, $k1 . ":" . $k2)
if $sid_mod[$sidcount] =~ /\d+:\d+/;
}
}
}
$sidcount++;
}
$sidcount = 0;
$skipcount = 0;
foreach (@sid_mod) {
if ($_ =~ /^\d+:\d+/) {
my $gid = $&;
my $sid = $gid;
if ($gid && $sid) {
$gid =~ s/:\d+//;
$sid =~ s/\d+://;
if ($function) {
if ($function eq "enable") {
if (exists $$hashref{$gid}{$sid}
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*#\s*(alert|drop|pass)/i
&& !$rstate)
{
$$hashref{$gid}{$sid}{'rule'}
=~ s/^\s*#+\s*//;
if ($Verbose && !$Quiet) {
print "\tEnabled $gid:$sid\n";
}
$sidcount++;
}
# Return State!
next unless $$hashref{$gid}{$sid};
next unless $$hashref{$gid}{$sid}{rule};
if ( $$hashref{$gid}{$sid}{'state'}
&& $$hashref{$gid}{$sid}{'state'} == 0
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*(alert|drop|pass)/
&& $rstate)
{
$$hashref{$gid}{$sid}{'rule'} = "# "
. $$hashref{$gid}{$sid}{'rule'};
$sidcount++;
if ($Verbose && !$Quiet) {
print "\tRe-Disabled $gid:$sid\n";
}
}
elsif ($$hashref{$gid}{$sid}{'state'}
&& $$hashref{$gid}{$sid}{'state'} == 1
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*#+\s*(alert|drop|pass)/
&& $rstate)
{
$$hashref{$gid}{$sid}{'rule'}
=~ s/^\s*#+\s*//;
$sidcount++;
if ($Verbose && !$Quiet) {
print "\tRe-Enabled $gid:$sid\n";
}
}
}
elsif ($function eq "drop") {
if (exists $$hashref{$gid}{$sid}
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*#*\s*alert/i)
{
$$hashref{$gid}{$sid}{'rule'}
=~ s/^\s*#*\s*//;
$$hashref{$gid}{$sid}{'rule'}
=~ s/^alert/drop/;
if ($Verbose && !$Quiet) {
print "\tWill drop $gid:$sid\n";
}
$sidcount++;
}
}
elsif ($function eq "disable") {
if (exists $$hashref{$gid}{$sid}
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*(alert|drop|pass)/i)
{
$$hashref{$gid}{$sid}{'rule'} = "# "
. $$hashref{$gid}{$sid}{'rule'};
$$hashref{$gid}{$sid}{'disabled'} = 1;
if ($Verbose && !$Quiet) {
print "\tDisabled $gid:$sid\n";
}
$sidcount++;
}
elsif (exists $$hashref{$gid}{$sid}
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*#*\s*(alert|drop|pass)/i)
{
$$hashref{$gid}{$sid}{'disabled'} = 1;
if ($Verbose && !$Quiet) {
print
"\tAlready Disabled $gid:$sid\n";
}
$skipcount++;
}
}
}
}
}
}
print "\tModified $sidcount rules\n" if !$Quiet;
print "\tSkipped $skipcount rules (already disabled)\n"
if !$Quiet;
}
}
print "\tDone\n" if !$Quiet;
undef @sid_mod;
}
## iprep control socket!
sub iprep_control {
my ($bin, $path) = @_;
return unless (defined $bin && -f $bin && -d $path);
my $cmd = "$bin $path 1361";
print "Issuing reputation socket reload command\n";
print "Command: $cmd\n" if $Verbose;
open(FH, "$cmd 2>&1 |");
while (<FH>) {
chomp();
next unless $_ =~ /(warn|err|unable)/i;
print "$_\n";
}
close(FH);
}
## goodbye
sub send_signal {
my ($signal_name, $pidlist) = @_;
my @pids = split(/,/, $pidlist);
my $pid;
print "Signaling Time....\n";
foreach $pid (@pids) {
open(FILE, "$pid")
or croak $!;
my $realpid = <FILE>;
chomp($realpid);
close(FILE);
my $kill_ret = kill "$signal_name", $realpid;
if ($Verbose && !$Quiet) {
print
"\tSent $signal_name signal to $realpid from $pid with result $kill_ret\n";
}
}
if (!$Verbose && !$Quiet) { print "\tDone!\n"; }
undef @pids;
}
## make the sid-msg.map
sub sid_msg {
my ($ruleshash, $sidhash, $enonly) = @_;
my ($gid, $arg, $msg);
print "Generating sid-msg.map....\n" if !$Quiet;
foreach my $k (sort keys %$ruleshash) {
foreach my $k2 (sort keys %{ $$ruleshash{$k} }) {
next
if ((defined $enonly)
&& $$ruleshash{$k}{$k2}{'rule'} !~ /^\s*(alert|drop|pass)/);
(my $header, my $options)
= split(/^[^"]* \(\s*/, $$ruleshash{$k}{$k2}{'rule'})
if defined $$ruleshash{$k}{$k2}{'rule'};
my @optarray = split(/(?<!\\);\s*/, $options) if $options;
foreach my $option (reverse(@optarray)) {
my ($kw, $arg) = split(/:\s*/, $option, 2) if $option;
my $gid = $k;
$gid = 1 if $k == 0;
next
unless ($kw
&& $arg
&& $kw =~ /(reference|msg|rev|classtype|priority)/);
if ($kw eq "reference") {
push(@{ $$sidhash{$gid}{$k2}{refs} }, trim($arg));
}
elsif ($kw eq "msg") {
$arg =~ s/"//g;
$$sidhash{$gid}{$k2}{msg} = trim($arg);
}
elsif ($kw eq "rev") {
$$sidhash{$gid}{$k2}{rev} = trim($arg);
}
elsif ($kw eq "classtype") {
$$sidhash{$gid}{$k2}{classtype} = trim($arg);
}
elsif ($kw eq "priority") {
$$sidhash{$gid}{$k2}{priority} = trim($arg);
}
}
}
}
print "\tDone\n" if !$Quiet;
}
## write the rules files to unique output files!
sub rule_category_write {
my ($hashref, $filepath, $enonly, $extra_rules) = @_;
print "Writing rules to unique destination files....\n" if !$Quiet;
print "\tWriting rules to $filepath\n" if !$Quiet;
my %hcategory = ();
my $file;
my @local_rules = split(/,/, $extra_rules);
foreach my $fn (sort keys %$categories) {
my $file = "$fn.rules";
open(WRITE, '>', "$filepath$file");
print WRITE "\n\n# ----- Begin $fn Rules Category ----- #\n";
foreach my $gid (sort keys %{ $categories->{$fn} }) {
print WRITE "\n# -- Begin GID:$gid Based Rules -- #\n\n";
foreach my $sid (sort keys %{ $categories->{$fn}{$gid} }) {
next unless defined $$hashref{$gid}{$sid}{'rule'};
if ( $enonly
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*(alert|drop|pass)/)
{
print WRITE $$hashref{$gid}{$sid}{'rule'} . "\n";
}
elsif (!$enonly || grep /^$filepath$file$/, @local_rules) {
print WRITE $$hashref{$gid}{$sid}{'rule'} . "\n";
}
}
}
close(WRITE);
}
print "\tDone\n" if !$Quiet;
}
## write our blocklist and blocklist version file!
sub blocklist_write {
my ($href, $path) = @_;
my $blv = $Config_info{'IPRVersion'} . "/IPRVersion.dat";
my $blver = 0;
# First lets be sure that our data is new, if not skip the rest of it!
# We will MD5 our HREF then convert it to an integer.
my $hobj = Digest::MD5->new;
$hobj->add(%$href);
my $hash = $hobj->hexdigest;
my $ver = unpack("i", $hash);
if (-f $blv) {
open(FH, '<', $blv);
while (<FH>) {
next unless $_ =~ /\d+/;
$blver = $_;
}
close(FH);
}
if ($blver != $ver) {
print "Writing Blocklist File $path....\n" if !$Quiet;
open(FH, '>', $path)
|| croak("Unable to open $path for writing! - $!\n");
foreach (sort keys %$href) {
print FH "$_\n";
}
close(FH);
print "Writing Blocklist Version $ver to $blv....\n" if !$Quiet;
open(FH, '>', $blv)
|| croak("Unable to open $blv for writing! - $!\n");
print FH $ver;
close(FH);
return (1);
}
else {
print "Blocklist version is unchanged, not updating!\n" if !$Quiet;
return (0);
}
}
## write the rules to a single output file!
sub rule_write {
my ($hashref, $file, $enonly) = @_;
print "Writing $file....\n" if !$Quiet;
open(WRITE, '>', "$file") || croak "Unable to write $file - $!\n";
#if ( $gid == 1 ) {
foreach my $fn (sort keys %$categories) {
print WRITE "\n\n# ----- Begin $fn Rules Category ----- #\n";
foreach my $gid (sort keys %{ $categories->{$fn} }) {
print WRITE "\n# -- Begin GID:$gid Based Rules -- #\n\n";
foreach my $sid (sort keys %{ $categories->{$fn}{$gid} }) {
next unless defined $$hashref{$gid}{$sid}{'rule'};
if ( $enonly
&& $$hashref{$gid}{$sid}{'rule'}
=~ /^\s*(alert|drop|pass)/)
{
print WRITE $$hashref{$gid}{$sid}{'rule'} . "\n";
}
elsif (!$enonly) {
print WRITE $$hashref{$gid}{$sid}{'rule'} . "\n";
}
}
}
}
close(WRITE);
print "\tDone\n" if !$Quiet;
}
## sid file time!
sub sid_write {
my ($hashref, $file, $sid_msg_version) = @_;
print "Writing v$sid_msg_version $file....\n" if !$Quiet;
open(WRITE, ">$file") || croak "Unable to write $file -$!";
print WRITE "#v$sid_msg_version\n"; # Version biznits!
print WRITE
"# sid-msg.map autogenerated by PulledPork - DO NOT MODIFY BY HAND!\n";
foreach my $k (sort keys %$hashref) {
foreach my $k2 (sort keys %{ $$hashref{$k} }) {
if ($sid_msg_version == 2) {
print WRITE "$k || $k2 || $hashref->{$k}{$k2}{rev} || ";
if ($hashref->{$k}{$k2}{classtype}) {
print WRITE "$hashref->{$k}{$k2}{classtype} || ";
}
else { print WRITE "NOCLASS || "; }
if ($hashref->{$k}{$k2}{priority}) {
print WRITE "$hashref->{$k}{$k2}{priority} || ";
}
else { print WRITE "0 || "; }
}
else {
print WRITE "$k2 || ";
}
print WRITE "$hashref->{$k}{$k2}{msg}";
foreach (@{ $hashref->{$k}{$k2}{refs} }) {
print WRITE " || $_";
}
print WRITE "\n";
}
}
close(WRITE);
print "\tDone\n" if !$Quiet;
}
## Pull the flowbits requirements from the currently enabled rules.
# TODO: add extended functionality for setx, toggle and groups (Q1 of 2013)
sub flowbit_check {
my ($rule, $aref) = @_;
my ($header, $options) = split(/^[^"]* \(\s*/, $rule);
my @optarray = split(/(?<!\\);\s*/, $options) if $options;
foreach my $option (reverse(@optarray)) {
my ($kw, $arg) = split(/:/, $option) if $option;
next unless ($kw && $arg && $kw eq "flowbits");
my ($flowact, $flowbit) = split(/,/, $arg);
next unless $flowact =~ /is(not)?set/i;
push(@$aref, trim($flowbit)) if $flowbit !~ /(&|\|)/;
push(@$aref, split(/(&|\|)/, trim($flowbit))) if $flowbit =~ /(&|\|)/;
}
}
## Enable flowbits if there is a rule that requires them!
sub flowbit_set {
my $href = shift;
my $counter = 0;
my @flowbits;
foreach my $k1 (keys %$href) {
foreach my $k2 (keys %{ $$href{$k1} }) {
next unless $$href{$k1}{$k2}{'rule'} =~ /^(alert|drop|pass)/;
next
unless $$href{$k1}{$k2}{'rule'}
=~ /flowbits:\s*is(not)?set\s*,\s*[^;]+/i;
flowbit_check($$href{$k1}{$k2}{'rule'}, \@flowbits);
}
}
my %dups;
map { $dups{$_} = 1 } @flowbits;
@flowbits = keys %dups;
undef %dups;
foreach my $k1 (keys %$href) {
foreach my $k2 (keys %{ $$href{$k1} }) {
foreach my $flowbit (@flowbits) {
next
unless defined $$href{$k1}{$k2}{$flowbit}
&& $$href{$k1}{$k2}{'rule'}
=~ /^\s*#\s*(alert|drop|pass)/i;
$$href{$k1}{$k2}{'rule'} =~ s/^\s*#\s*//;
if (defined $$href{$k1}{$k2}{'disabled'}) {
print "\tWARN - $k1:$k2 is re-enabled by a",
" check of the $flowbit flowbit!\n"
if $Verbose && !$Quiet;
}
$counter++;
}
}
}
undef @flowbits;
print "\tEnabled $counter flowbits\n" if ($counter > 0 && !$Quiet);
return $counter;
}
## Make some changelog fun!
sub changelog {
my ($changelog, $new_hash, $old_hash, $blocklist_hash, $ips_policy,
$enonly, $hmatch)
= @_;
print "Writing $changelog....\n" if !$Quiet;
my (@newsids, @delsids);
undef @newsids;
undef @delsids;
my $rt = 0;
my $dt = 0;
my $dropped = 0;
my $enabled = 0;
my $disabled = 0;
my $ips = 0;
foreach my $k1 (keys %$new_hash) {
foreach my $k2 (keys %{ $$new_hash{$k1} }) {
next if (($enonly) && ($$new_hash{$k1}{$k2}{'rule'} =~ /^\s*#/));
if (!defined $$old_hash{$k1}{$k2}{'rule'}) {
my $msg_holder = $$new_hash{$k1}{$k2}{'rule'};
if ($msg_holder =~ /msg:"[^"]+";/i) {
$msg_holder = $&;
$msg_holder =~ s/msg:"//;
$msg_holder =~ s/";//;
}
else { $msg_holder = "Unknown MSG" }
push(@newsids, "$msg_holder ($k1:$k2)");
}
$rt++ unless defined $$old_hash{$k1}{$k2}{'rule'};
next unless defined $$new_hash{$k1}{$k2}{'rule'};
if ($$new_hash{$k1}{$k2}{'rule'} =~ /^\s*(alert|pass)/) {
$enabled++;
}
elsif ($$new_hash{$k1}{$k2}{'rule'} =~ /^\s*drop/) {
$dropped++;
}
elsif (
$$new_hash{$k1}{$k2}{'rule'} =~ /^\s*#*\s*(alert|drop|pass)/)
{
$disabled++;
}
}
}
foreach my $k1 (sort keys %$old_hash) {
for my $k2 (sort keys %{ $$old_hash{$k1} }) {
next if defined $$new_hash{$k1}{$k2}{'rule'};
next
if (($enonly) && ($$old_hash{$k1}{$k2}{'rule'} =~ /^\s*#/));
my $msg_holder = $$old_hash{$k1}{$k2}{'rule'};
if ($msg_holder =~ /msg:"[^"]+";/) {
$msg_holder = $&;
$msg_holder =~ s/msg:"//;
$msg_holder =~ s/";//;
}
else { $msg_holder = "Unknown MSG" }
push(@delsids, "$msg_holder ($k1:$k2)");
$dt++;
}
}
if (%$blocklist_hash) {
$ips = keys(%$blocklist_hash);
}
if (-f $changelog) {
open(WRITE, '>>', $changelog) || croak "$changelog $!\n";
}
else {
open(WRITE, '>', $changelog) || croak "$changelog $!\n";
print WRITE
"-=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on "
. gmtime(time)
. " GMT=-\n\n\n";
}
print WRITE "\n-=Begin Changes Logged for " . gmtime(time) . " GMT=-\n";
if ($Process) {
print WRITE "\nNew Rules\n" if @newsids;
@newsids = sort(@newsids);
@delsids = sort(@delsids);
foreach (@newsids) { print WRITE "\t" . $_ . "\n"; }
print WRITE "\nDeleted Rules\n" if @delsids;
foreach (@delsids) { print WRITE "\t" . $_ . "\n"; }
print WRITE "\nSet Policy: $ips_policy\n" if $ips_policy;
print WRITE "\nRule Totals\n";
print WRITE "\tNew:-------$rt\n";
print WRITE "\tDeleted:---$dt\n";
print WRITE "\tEnabled:---$enabled\n";
print WRITE "\tDropped:---$dropped\n";
print WRITE "\tDisabled:--$disabled\n";
print WRITE "\tTotal:-----"
. ($enabled + $disabled + $dropped) . "\n";
}
else { print WRITE "\nNo Rule Changes\n"; }
if ($bmatch) {
print WRITE "\nIP Blocklist Stats\n\tTotal IPs:-----$ips\n" if $ips;
}
else { print WRITE "\nNo IP Blocklist Changes\n"; }
print WRITE "\n-=End Changes Logged for " . gmtime(time) . " GMT=-\n";
close(WRITE);
if (!$Quiet) {
print "\tDone\n";
if ($Process) {
print "Rule Stats...\n";
print "\tNew:-------$rt\n";
print "\tDeleted:---$dt\n";
print "\tEnabled Rules:----$enabled\n";
print "\tDropped Rules:----$dropped\n";
print "\tDisabled Rules:---$disabled\n";
print "\tTotal Rules:------" . ($enabled + $dropped + $disabled);
}
else { print "\nNo Rule Changes\n"; }
if ($bmatch) {
print "\nIP Blocklist Stats...\n\tTotal IPs:-----$ips\n" if $ips;
}
else { print "\nNo IP Blocklist Changes\n"; }
print "\nDone\n";
print "Please review $sid_changelog for additional details\n"
if $sid_changelog;
}
undef @newsids;
undef @delsids;
}
## Trim it up, loves the trim!
sub trim {
my ($trimmer) = @_;
if ($trimmer) {
$trimmer =~ s/^\s*//;
$trimmer =~ s/\s*$//;
return $trimmer;
}
}
## Does it hurt when I slash you?
sub slash {
my ($operation, $string) = @_;
if ($operation == 0 && $string =~ /\/$/ && $string ne "") {
$string =~ s/\/$//;
}
elsif ($operation == 1 && $string !~ /\/$/ && $string ne "") {
$string = $string . "/";
}
return $string;
}
## Test the intermediate levels with exists to prevent unintended autovivification
sub safe_defined {
my ($h, @keys) = @_;
foreach my $k (@keys) {
return unless ref $h eq 'HASH';
return unless exists $h->{$k};
$h = $h->{$k};
}
return defined $h;
}
## uh, yeah
sub Version {
print("PulledPork v$VERSION - $HUMOR\n\n");
exit(0);
}
## find the snort version baby!
sub snort_version {
my $cmd = shift;
$cmd .= " -V";
my $version;
open(FH, "$cmd 2>&1 |");
while (<FH>) {
next unless $_ =~ /Version/;
if ($_ =~ /\d+\.\d+\.\d+\.\d+/) {
$version = $&;
}
elsif ($_ =~ /\d+\.\d+\.\d+(?!\.)/) {
$version = $& . ".0";
}
}
close(FH);
return $version;
}
## our arch
sub get_arch {
my $cmd = "uname -a";
open(FH, "$cmd |");
my $arch;
while (<FH>) {
next unless $_ =~ /(i386|x86-64|x86_64|i686|amd64)/i;
$arch = $&;
$arch =~ s/_/-/;
$arch =~ s/i686/i386/;
$arch =~ s/amd64/x86-64/;
}
close(FH);
return $arch;
}
## log to syslog
sub syslogit {
my ($level, $msg) = @_;
openlog('pulledpork', 'ndelay,pid', 'local0');
syslog($level, $msg);
closelog;
}
## Create some backup and archive foo!
sub archive {
my ($data, $filename) = @_;
my @records;
my $compression = "COMPRESS_GZIP";
$filename .= "." . time() . ".tgz";
print "Creating backup at: $filename\n" unless $Quiet;
foreach my $record (@$data) {
if (-f $record) {
print "\tAdding file: $record\n" if $Verbose && !$Quiet;
push(@records, $record);
}
elsif (-d $record) {
print "\tAdding dir: $record\n" if $Verbose && !$Quiet;
find(\&archive_wanted, $record);
}
}
print "\tWriting Archive: $filename - may take several minutes!\n"
if $Verbose && !$Quiet;
Archive::Tar->create_archive($filename, $compression, @records);
}
## Define what we will find for the archive sub when dir is found!
sub archive_wanted {
return unless -f $_;
print "\tAdding file: $File::Find::name\n" if $Verbose == 2 && !$Quiet;
push(@records, $File::Find::name);
}
## Create ignore_files from conf file
sub get_ignore_files {
my ($ignore_conf_file) = @_;
my $ignore_list;
print "\tReading ignore_file: $ignore_conf_file\n";
# Read ignore file and exclude comments/blank lines
open(FH, '<', $ignore_conf_file)
|| croak "Couldn't read $ignore_conf_file $!\n";
while (<FH>) {
chomp;
s/#.*//;
if (!/^\s*$/) { $ignore_list .= "$_," }
}
close FH;
$ignore_list =~ s/,\s*$//g;
return $ignore_list;
}
## Verify if directories or files actually exist
sub check_file_dir {
my ($filedir_input) = @_;
my ($dir_check, $file_check) = ($filedir_input =~ /(^.*)(?:\/|\\)(.*)$/);
if (!-d $dir_check && !-w $file_check) {
croak
"Error: $dir_check does not exist, please create this directory\n";
exit(1);
}
}
###
### Main here, let's get on with it already
###
if ($#ARGV == -1) {
Help(
"Please read the README for runtime options and configuration documentation"
);
}
## Lets grab any runtime values and insert into our variables using getopt::long
GetOptions(
"a!" => \$Auto,
"b=s" => \$sidmod{drop},
"c=s" => \$Config_file,
"C=s" => \$Snort_config,
"d!" => \$Hash,
"D=s" => \$Distro,
"E!" => \$enonly,
"e=s" => \$sidmod{enable},
"g!" => \$grabonly,
"H=s" => \$SigName,
"h=s" => \$sid_changelog,
"i=s" => \$sidmod{disable},
"I=s" => \$ips_policy,
"k!" => \$keep_rulefiles,
"K=s" => \$rule_file_path,
"l!" => \$Syslogging,
"L=s" => \$local_rules,
"M=s" => \$sidmod{modify},
"m=s" => \$sid_msg_map,
"n!" => \$NoDownload,
"o=s" => \$Output,
"O=s" => \$oinkcode,
"p=s" => \$Snort_path,
"P!" => \$Process,
"q" => \$Quiet,
"R!" => \$rstate,
"S=s" => \$Snort,
"s=s" => \$Sorules,
"T!" => \$Textonly,
"u=s" => \@base_url,
"V!" => sub { Version() },
"v+" => \$Verbose,
"help|?" => sub { Help() },
"w" => \$skip_verify,
"W" => \$proxy_workaround
);
## Fly piggy fly!
pulledpork() if !$Quiet;
# Dump our variables for verbose/debug output
if (!$Config_file) { Help("No configuration file specified"); }
# Call the subroutine to fetch config values
parse_config_file($Config_file, \%Config_info);
if ($Verbose && !$Quiet) {
print "Config File Variable Debug $Config_file\n";
foreach $Config_key (keys %Config_info) {
if ($Config_info{$Config_key}) {
print "\t$Config_key = $Config_info{$Config_key}\n";
}
}
}
if (exists $Config_info{'version'}) {
croak "You are not using the current version of pulledpork.conf!\n",
"Please use the version of pulledpork.conf that shipped with $VERSION!\n\n"
if $Config_info{'version'} ne "$VERSION";
}
else {
croak
"You are not using the current version of pulledpork.conf!\nPlease use the version that shipped with $VERSION!\n\n";
}
# Check to see if we have command line inputs, if so, they super-seed any config file values!
# We also begin sub execution here
$pid_path = ($Config_info{'pid_path'}) if exists $Config_info{'pid_path'};
$ignore_files = ($Config_info{'ignore'}) if exists $Config_info{'ignore'};
# Allow ignores to be specified in a file, supercedes the regular ignore config option
if (exists $Config_info{'ignore_file'}) {
$ignore_files = get_ignore_files($Config_info{'ignore_file'});
}
if ($rule_file_path) {
$keep_rulefiles = 1;
}
$sid_msg_version = $Config_info{'sid_msg_version'};
if ($keep_rulefiles && defined $Config_info{'out_path'} && !$rule_file_path) {
$rule_file_path = $Config_info{'out_path'};
}
if ($rule_file_path) {
$rule_file_path = slash(1, "$rule_file_path");
}
if (!$ips_policy && defined $Config_info{'ips_policy'}) {
$ips_policy = $Config_info{'ips_policy'};
}
if (!$block_list && defined $Config_info{'block_list'}) {
$block_list = $Config_info{'block_list'};
check_file_dir($block_list);
}
if (!$sidmod{enable} && defined $Config_info{'enablesid'}) {
$sidmod{enable} = $Config_info{'enablesid'};
}
if (!$sidmod{modify} && defined $Config_info{'modifysid'}) {
$sidmod{modify} = $Config_info{'modifysid'};
}
if (!$sidmod{drop} && defined $Config_info{'dropsid'}) {
$sidmod{drop} = $Config_info{'dropsid'};
}
if (!$sidmod{disable} && defined $Config_info{'disablesid'}) {
$sidmod{disable} = $Config_info{'disablesid'};
}
my @sidact = ('enable', 'drop', 'disable');
if (defined $Config_info{'state_order'}) {
(@sidact) = split(/,/, $Config_info{'state_order'});
}
if (!@base_url) {
@base_url = @{ $Config_info{'rule_url'} };
if (!@base_url) {
Help(
"You need to specify one rule_url at a minimum to fetch the rules files from!\n"
);
}
}
if (!$Output) {
$Output = ($Config_info{'rule_path'});
check_file_dir($Output);
}
if (!$Output && !($keep_rulefiles && $rule_file_path)) {
Help("You need to specify an output rules file or output path!");
}
$Output = slash(0, $Output) if $Output;
if (!$Sorules) {
$Sorules = ($Config_info{'sorule_path'});
}
$Sorules = slash(1, $Sorules) if $Sorules;
undef $Sostubs if ($Textonly);
undef $Sorules if ($Textonly);
if (!$Distro) {
$Distro = ($Config_info{'distro'});
}
if (!$Snort) {
$Snort = ($Config_info{'snort_version'});
}
if (!$Snort_path) {
$Snort_path = ($Config_info{'snort_path'});
$Snort = snort_version($Snort_path) if (!$Snort && -B $Snort_path);
$arch = get_arch();
$Textonly = 1 unless $Snort;
}
# Check if version begins with 3
if (ord($Snort) == 51) {
$Snortv3 = 1;
if ($arch) {$arch =~ s/x86-64/x64/;}
}
if (!$local_rules && ($Config_info{'local_rules'})) {
$local_rules = ($Config_info{'local_rules'});
}
elsif (!$local_rules && !($Config_info{'local_rules'})) {
$local_rules = 0;
}
if (!$Snort_config) {
$Snort_config = ($Config_info{'config_path'});
}
if (!$sid_msg_map) {
$sid_msg_map = ($Config_info{'sid_msg'});
}
if (!$sid_changelog) {
$sid_changelog = ($Config_info{'sid_changelog'});
}
if (!$ips_policy) {
$ips_policy = "Disabled";
}
if ($Verbose && !$Quiet) {
print "MISC (CLI and Autovar) Variable Debug:\n";
if ($Process) { print "\tProcess flag specified!\n"; }
if ($arch) { print "\tarch Def is: $arch\n"; }
if ($oSystem) { print "\tOperating System is: $oSystem\n"; }
if ($CAFile) { print "\tCA Certificate File is: $CAFile\n"; }
if ($Config_file) { print "\tConfig Path is: $Config_file\n"; }
if ($Distro) { print "\tDistro Def is: $Distro\n"; }
if ($keep_rulefiles) { print "\tKeep rulefiles flag is Set\n"; }
if ($rule_file_path) { print "\tKeep rulefiles path: $rule_file_path\n"; }
if ($enonly) { print "\tWrite ONLY enabled rules flag is Set\n"; }
if ($grabonly) { print "\tgrabonly Flag is Set, only gonna download!"; }
if ($Hash) {
print
"\tNo MD5 Flag is Set, uhm, ok? I'm gonna fetch the latest file no matter what!\n";
}
if ($ips_policy) { print "\t$ips_policy policy specified\n"; }
if ($local_rules) { print "\tlocal.rules path is: $local_rules\n"; }
if ($NoDownload) { print "\tNo Download Flag is Set\n"; }
if ($Output) { print "\tRules file is: $Output\n"; }
if ($rstate) { print "\tReturn State flag is Set\n"; }
if ($rule_file) { print "\tRule File is: $rule_file\n"; }
if ($sidmod{disable}) {
print "\tPath to disablesid file: $sidmod{disable}\n";
}
if ($sidmod{drop}) { print "\tPath to dropsid file: $sidmod{drop}\n"; }
if ($sidmod{enable}) {
print "\tPath to enablesid file: $sidmod{enable}\n";
}
if ($sidmod{modify}) {
print "\tPath to modifysid file: $sidmod{modify}\n";
}
if ($sid_changelog) {
print "\tsid changes will be logged to: $sid_changelog\n";
}
if ($sid_msg_map) {
print "\tsid-msg.map Output Path is: $sid_msg_map\n";
}
if ($SigName) { print "\tSending signal Flag is Set: $SigName\n"; }
if ($Snort) { print "\tSnort Version is: $Snort\n"; }
if ($Snortv3) { print "\tSnort V3 detected & processing enabled\n"; }
if ($Snort_config) { print "\tSnort Config File: $Snort_config\n"; }
if ($Snort_path) { print "\tSnort Path is: $Snort_path\n"; }
if ($Sorules) { print "\tSO Output Path is: $Sorules\n"; }
if ($Sostubs) { print "\tWill process SO rules\n"; }
if ($Syslogging) { print "\tLogging Flag is Set\n"; }
if ($Textonly) { print "\tText Rules only Flag is Set\n"; }
if ($Verbose == 2) { print "\tExtra Verbose Flag is Set\n"; }
if ($Verbose) { print "\tVerbose Flag is Set\n"; }
if ($skip_verify) { print "\tSSL Hostname Verification disabled\n"; }
if ($proxy_workaround) {
print "\tLWP Workaround is set for Proxy connections\n";
}
if ($ignore_files) { print "\tFile(s) to ignore = $ignore_files\n"; }
if (@base_url) { print "\tBase URL is: @base_url\n"; }
}
# We need a temp path to work with the files while we do magics on them.. make sure you have plenty
# of space in this path.. ~200mb is a good starting point
$temp_path = ($Config_info{'temp_path'});
if (!$temp_path) {
Help("You need to specify a valid temp path, check permissions too!");
}
$temp_path = slash(1, $temp_path);
if (!-d $temp_path) {
Help("Temporary file path $temp_path does not exist.\n");
}
# Validate sid_msg_map version
Help(
"Please specify version 1 or 2 for sid_msg_version in your config file\n")
unless $sid_msg_version =~ /(1|2)/;
# set some UserAgent and other connection configs
$ua->agent("PulledPork v$VERSION");
$ua->show_progress(1) if ($Verbose && !$Quiet);
# check to see if SSL verfication is disabled
if ($skip_verify) {
$ua->ssl_opts(verify_hostname => 0);
}
# New Settings to allow proxy connections to use proper SSL formating - Thx pkthound!
$ua->timeout(60);
$ua->cookie_jar({});
$ua->protocols_allowed(['http', 'https']);
$ua->proxy(['http'], $ENV{http_proxy}) if $ENV{http_proxy};
$ua->proxy(['https'], $ENV{https_proxy}) if $ENV{https_proxy};
# Pull in our env vars before we load any of the modules!
BEGIN {
my $proxy = $ENV{http_proxy};
if ($proxy) {
#Let's handle proxy variables with username / passphrase in them!
if ($proxy =~ /^(http|https):\/\/([^:]+):([^:]+)@(.+)$/i) {
my $proxytype = $1;
my $proxyuser = $2;
my $proxypass = $3;
my $proxyaddy = $4;
$ENV{HTTP_PROXY} = "$proxytype://$proxyaddy";
$ENV{HTTP_PROXY_USERNAME} = $proxyuser;
$ENV{HTTP_PROXY_PASSWORD} = $proxypass;
$ENV{HTTPS_PROXY} = "$proxytype://$proxyaddy";
$ENV{HTTPS_PROXY_USERNAME} = $proxyuser;
$ENV{HTTPS_PROXY_PASSWORD} = $proxypass;
}
else {
$ENV{HTTPS_PROXY} = $proxy;
$ENV{HTTP_PROXY} = $proxy;
}
}
undef $proxy;
$proxy = $ENV{https_proxy}; #check for https_proxy env var
if ($proxy) {
#Let's handle proxy variables with username / passphrase in them!
if ($proxy =~ /^(http|https):\/\/([^:]+):([^:]+)@(.+)$/i) {
my $proxytype = $1;
my $proxyuser = $2;
my $proxypass = $3;
my $proxyaddy = $4;
$ENV{HTTPS_PROXY} = "$proxytype://$proxyaddy";
$ENV{HTTPS_PROXY_USERNAME} = $proxyuser;
$ENV{HTTPS_PROXY_PASSWORD} = $proxypass;
}
else {
$ENV{HTTPS_PROXY} = $proxy;
}
}
}
if ($Verbose == 2) {
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTP_DEBUG} = 1;
print "\n\nMY HTTPS PROXY = $ENV{HTTPS_PROXY}\n"
if ($ENV{HTTPS_PROXY} && !$Quiet);
print "\n\nMY HTTP PROXY = $ENV{HTTP_PROXY}\n"
if ($ENV{HTTP_PROXY} && !$Quiet);
}
# let's fetch the most recent md5 file then compare and do our foo
if (@base_url && -d $temp_path) {
if (-d $temp_path . "tha_rules") {
print
"\tdoh, we need to perform some cleanup ... an unclean run last time?\n"
if ($Verbose && !$Quiet);
temp_cleanup($temp_path);
}
if (!$NoDownload) {
# Crate a local hash that we will iterate through later for processing
my $filelist = ();
my $blk = 0;
my $Snortv = "";
# Iterate through all of our urls and check md5 then process accordingly etc...
foreach (@base_url) {
undef $Hash if ($Hash && $Hash == 2);
#undef $Process if ($Process && $Process ==2);
my ($base_url, $rule_file, $oinkcode) = split(/\|/, $_);
croak
"You need to define an oinkcode, please review the rule_url section of the pulledpork config file!\n"
unless $oinkcode;
croak(
"please define the rule_url correctly in the pulledpork.conf\n"
) unless defined $base_url;
croak(
"please define the rule_url correctly in the pulledpork.conf\n"
) unless defined $rule_file;
if ($base_url =~ /[^labs]\.snort\.org/i) {
$prefix = "VRT-";
unless ($rule_file =~ /snortrules-snapshot-\d{4,6}\.tar\.gz/)
{
croak(
"The specified Snort binary does not exist!\nPlease correct the value or specify the FULL",
" rules tarball name in the pulledpork.conf!\n"
) unless $Snort;
$Snortv = $Snort;
$Snortv =~ s/\.//g;
$rule_file = "snortrules-snapshot-$Snortv.tar.gz";
}
}
elsif ($base_url =~ /(emergingthreats.net)/) {
$prefix = "ET-";
# These have to be handled separately, as emerginthreatspro will
# support a full version, but emergingthreats only supports the
# major and minor version.
# Currently this is a check that the version
# is in fact a Snort version, where Suricata
# will require suricata to be included in the version
# to work with suricata rules. Current open set uses
# only the first part of the version.
if ($Snort =~ /^\d+\.\d+\.\d+\.\d+/) {
$Snortv = $Snort;
$Snortv =~ s/^(\d+\.\d+)\.\d+\.\d/$1.0/;
$base_url .= "$oinkcode/snort-$Snortv/";
}
elsif ($Snort =~ /suricata/i) {
# Assumption here, this will need to be fixed
# as the open ruleset does not handle suricata
# versions
$base_url .= "$oinkcode/$Snort/";
}
}
elsif ($base_url =~ /emergingthreatspro.com/) {
$prefix = "ET-";
# These have to be handled separately, as emerginthreatspro will
# support a full version, but emergingthreats only supports the
# major and minor version
if ($Snort =~ /^\d+\.\d+\.\d+\.\d+/) {
$Snortv = $Snort;
$Snortv =~ s/^(\d+\.\d+)\.\d+\.\d/$1.0/;
$base_url .= "$oinkcode/snort-$Snortv/";
}
elsif ($Snort =~ /suricata/i) {
# Assumption here, this will need to be fixed
# as the open ruleset does not handle suricata
# versions
$base_url .= "$oinkcode/$Snort/";
}
}
elsif ($base_url =~ /snort\.org.+community/) {
$prefix = "Snort-Community-";
}
elsif ($base_url =~ /secureworks/) {
$prefix = "SecureWorks-";
$base_url .= "$oinkcode/"
unless $base_url =~ /\x2F$oinkcode\x2F/;
}
$prefix = "Custom-" unless $prefix;
$Hash = 2
unless $base_url
=~ /(secureworks|emergingthreats|[^labs]\.snort\.org)|snort\.org.+community/;
if ($rule_file =~ /IPBLOCKLIST/) {
$Hash = 2;
$rule_file .= $blk++;
}
if ($rule_file =~ /RULEFILE/) {
$Hash = 2;
}
if (!$Hash) {
$md5 = md5file($oinkcode, $rule_file, $temp_path, $base_url);
}
# and now lets determine the md5 of the last saved rules file if it exists
if (-f "$temp_path" . "$rule_file" && !$Hash) {
$rule_digest = md5sum($rule_file, $temp_path);
}
else { # the file didn't exsist so lets get it
rulefetch($oinkcode, $rule_file, $temp_path, $base_url);
$Process = 1 unless $rule_file =~ /IPBLOCKLIST/;
if (-f "$temp_path" . "$rule_file" && !$Hash) {
$rule_digest = md5sum($rule_file, $temp_path);
}
}
# Don't need to perform the following on the IP blocklist stuff...
next if $rule_file =~ /IPBLOCKLIST/;
# Stuff it all into a hash for use in a bit...
$filelist->{$rule_file} = {
'oinkcode' => $oinkcode,
'temp_path' => $temp_path,
'Hash' => $Hash,
'base_url' => $base_url,
'md5' => $md5,
'rule_digest' => $rule_digest,
'Distro' => $Distro,
'arch' => $arch,
'Snort' => $Snort,
'Snortv3' => $Snortv3,
'Sorules' => $Sorules,
'ignore_files' => $ignore_files,
'prefix' => $prefix,
'Process' => $Process,
'hmatch' => $hmatch
};
# compare the online current md5 against against the md5 of the rules file on system
$hmatch = compare_md5(
$oinkcode, $rule_file, $temp_path, $Hash,
$base_url, $md5, $rule_digest, $Distro,
$arch, $Snort, $Sorules, $ignore_files,
$prefix, $Process, $hmatch, $filelist
);
}
# If any of our rules tarballs are new or changed then we need to process all of them
if (($filelist->{EXTRACT} && $filelist->{EXTRACT} == 1) || $Process) {
foreach (keys %{$filelist}) {
next if $_ eq "EXTRACT";
$Process = 1;
if ($filelist->{$_}{oinkcode} !~ "RULEFILE") {
rule_extract(
$_,
$filelist->{$_}{temp_path},
$filelist->{$_}{Distro},
$filelist->{$_}{arch},
$filelist->{$_}{Snort},
$filelist->{$_}{Sorules},
$filelist->{$_}{ignore_files},
$filelist->{$_}{prefix},
$filelist->{$_}{Snortv3}
);
}
}
}
}
# Only process a local rules tarball
if ($NoDownload && !$grabonly) {
foreach (@base_url) {
my ($base_url, $rule_file) = split(/\|/, $_);
next if $rule_file =~ /IPBLOCKLIST/;
if ($base_url =~ /[^labs]\.snort\.org/i) {
$prefix = "VRT-";
unless ($rule_file =~ /snortrules-snapshot-\d{4,6}\.tar\.gz/)
{
croak(
"The specified Snort rules tarball does not exist!\nPlease correct the value or specify the FULL",
" rules tarball name in the pulledpork.conf!\n"
) unless $Snort;
my $Snortv = $Snort;
$Snortv =~ s/\.//g;
$rule_file = "snortrules-snapshot-$Snortv.tar.gz";
}
}
croak "file $temp_path/$rule_file does not exist!\n"
unless (-f "$temp_path/$rule_file");
$prefix = "ET-"
if $base_url
=~ /(emergingthreats.net|emergingthreatspro.com)/;
$prefix = "Snort-Community-"
if $base_url =~ /snort\.org.+community/;
rule_extract($rule_file, $temp_path, $Distro,
$arch, $Snort, $Sorules, $ignore_files, $prefix, $Snortv3)
if !$grabonly;
}
}
# Read our rules and stuff them into a hash
if ( ($Output || ($keep_rulefiles && $rule_file_path))
&& !$grabonly
&& $Process)
{
read_rules(\%rules_hash, "$temp_path" . "tha_rules/", $local_rules);
}
#Process things differently for Snort 3+ in future
if ($Snort =~ /3\.\d\.\d\.\d/) {
if (!$Quiet) {
print "Snort 3.0 detected, future Snort 3.0 processing\n";
}
}
# If we are using SO rules, generate the stubs and then stuff them into a hash
if ( $Sorules
&& -e $Sorules
&& $Distro
&& $Snort
&& !$Textonly
&& !$grabonly
&& $Process)
{
gen_stubs($Snort_path, $Snort_config,
"$temp_path" . "tha_rules/so_rules/", $Snortv3, $Sorules);
read_rules(\%rules_hash, "$temp_path" . "tha_rules/so_rules/",
$local_rules);
}
}
else { Help("Check your oinkcode, temp path and freespace!"); }
# Read our old rules so that we can determine what is new / changed / deleted
if ( ($Output || ($keep_rulefiles && $rule_file_path))
&& !$grabonly
&& $Process)
{
if ($sid_changelog && defined $Output && -f $Output && !$keep_rulefiles) {
read_rules(\%oldrules_hash, "$Output", $local_rules);
}
if ($sid_changelog && $keep_rulefiles && -d $rule_file_path) {
read_rules(\%oldrules_hash, "$rule_file_path", $local_rules);
}
#print Dumper(%oldrules_hash);
}
# Clean up temp path
if (-d $temp_path) {
temp_cleanup();
}
# Process our blocklist data.. need to add a conditional where if we are not linux, we don't
# use the control socket (linux only)
if ($block_list && %blocklist && !$NoDownload) {
$bmatch = blocklist_write(\%blocklist, $block_list);
iprep_control($Config_info{'snort_control'}, $Config_info{'IPRVersion'})
if $bmatch;
}
# Set our rule states, based on config files and specified base policy, also set our flowbit dependencies
if ( ($Output || ($keep_rulefiles && $rule_file_path))
&& !$grabonly
&& $Process)
{
if ($ips_policy ne "Disabled") {
policy_set($ips_policy, \%rules_hash);
}
if ($sidmod{modify} && -f $sidmod{modify}) {
modify_sid(\%rules_hash, $sidmod{modify});
}
foreach (@sidact) {
if ($sidmod{$_} && -f $sidmod{$_}) {
modify_state($_, $sidmod{$_}, \%rules_hash, $rstate);
}
elsif ($sidmod{$_} && !-f $sidmod{$_}) {
carp "Unable to read: $sidmod{$_} - $!\n";
}
}
print "Setting Flowbit State....\n"
if (!$Quiet);
my $fbits = 1;
while ($fbits > 0) {
$fbits = flowbit_set(\%rules_hash);
}
print "\tDone\n"
if (!$Quiet);
if ($Output && $Process && !$keep_rulefiles) {
rule_write(\%rules_hash, $Output, $enonly);
}
if ($keep_rulefiles && $rule_file_path && $Process) {
rule_category_write(\%rules_hash, $rule_file_path, $enonly,
$local_rules);
}
if ($sid_msg_map && $Process) {
sid_msg(\%rules_hash, \%sid_msg_map, $enonly);
sid_write(\%sid_msg_map, $sid_msg_map, $sid_msg_version);
}
if ($SigName && $pid_path ne "" && $Process) {
# This may need to be changed, but for now, error out
# if the signal name is not SIGHUP or SIGUSR2
if ($SigName eq "SIGHUP" || $SigName eq "SIGUSR2") {
send_signal($SigName, $pid_path) unless $Sostubs;
print "WARNING, cannot send signal if also processing SO rules\n",
"\tsee README.SHAREDOBJECTS\n", "\tor use -T flag!\n"
if ($Sostubs && !$Quiet);
}
else {
carp "Bad signal name used: $SigName - $!\n";
}
}
if ($Config_info{backup}) {
@records = split(/,/, $Config_info{backup});
archive(\@records, $Config_info{backup_file})
if $Config_info{backup_file};
if ($Verbose) {
print
"\tWARN - Unable to create a backup without defining backup_file in config!\n",
unless $Config_info{backup_file};
}
print "\tDone\n" unless $Quiet;
}
}
if (
$sid_changelog
&& ( (defined $Output && -f $Output)
|| ($keep_rulefiles && -d $rule_file_path))
)
{
changelog($sid_changelog, \%rules_hash, \%oldrules_hash, \%blocklist,
$ips_policy, $enonly, $hmatch, $bmatch);
}
print("Fly Piggy Fly!\n") if !$Quiet;
syslogit('warning|local0', "INFO: Finished Cleanly") if $Syslogging;
__END__
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。