File: snort2modsec.pl

package info (click to toggle)
libapache-mod-security 1.8.7-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,132 kB
  • ctags: 664
  • sloc: ansic: 7,641; perl: 199; makefile: 59; sh: 44
file content (94 lines) | stat: -rwxr-xr-x 2,176 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
#!/usr/bin/perl
#
# snort2modsec.pl
# mod_security, http://www.modsecurity.org/
# Copyright (c) 2002,2003 Ivan Ristic <ivanr@webkreator.com>
#
# $Id: snort2modsec.pl,v 1.1 2003/10/19 18:09:25 ivanr Exp $
#
# This script will convert Snort rules into the mod_security
# rule format. Supply a list of files on the command line and
# it will write mod_security rules to the standard output.
#
# See http://www.modsecurity.org/documentation/converted-snort-rules.html
# for more information

die("Usage: snort2modsec.pl <snort rule files>\n") unless(@ARGV);

foreach $file (@ARGV) {
   
	open(RULES, $file) or die( "Cannot open file: $file\n" );

LOOP:	
	while(<RULES>) {
		next if(/^\s$/);
		next if(/^\#/);

		if (/\((.*)\)/) {
			$action = $1;

			$uricontent = "";
			$content = "";
			$msg = "";
			$classtype = "";
			$reference = "";

			foreach $rule (split(/;\s+/, $action)) {

				# print "$rule\n";

				if ($rule =~ /uricontent:\s*\"(.*)\"/) {
					$uricontent = $1;
				} elsif ($rule =~ /content:\s*\"(.*)\"/) {
					$content = $1;
				} elsif ($rule =~ /msg:\s*\"(.*)\"/) {
					$msg = $1;
				} elsif ($rule =~ /classtype:\s*(.*)/) {
					$classtype = $1;
				}
			}

			# decode URL decoding
			$uricontent =~ s/%([a-fA-F0-9][a-fA-F0-9])/\\x$1/sg;
			$content =~ s/%([a-fA-F0-9][a-fA-F0-9])/\\x$1/sg;

            $uricontent =~ s/([][|()\$\^{}+?.])/\\\1/g;
            $content =~ s/([][|()\$\^{}+?.])/\\\1/g;

			# todo: decode |XX XX XX| content, for now
			# skip over the rules that are using it
			if ($content =~ /\|/) {
				next LOOP;
			}

            if ($uricontent =~ /\|/) {
                next LOOP;
            }

			print "# $msg";
			# if (!($reference eq "")) {
			# 	print ", $reference";
			# }
			print "\n";

			if (!($uricontent eq "")) {
				if (!($content eq "")) {
					print "SecFilterSelective THE_REQUEST \"$uricontent\" chain\n";
					print "SecFilter \"$content\"";
				} else {
					print "SecFilterSelective THE_REQUEST \"$uricontent\"";
					
				}
			} else {
				print "SecFilter \"$content\"";
			}

			if ($classtype eq "web-application-activity") {
				print " log,pass";
			}

			print "\n\n";
		}
   }
   close(RULES);
}