Code Monkey home page Code Monkey logo

snortparser's People

Contributors

blake-haydon avatar frendsick avatar g-rd avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

aurelienhess pan2za hxd2000 cybernebulachampion qwazgen jasonhuangya blake-haydon lotusexpeditor llkaia

snortparser's Issues

$HOME_NET

When parsing rules I would like $HOME_NET generically defined without an IP address associated with it. I am testing SNORT rule files which have only the variables defined. How can I change the script to accomplish this?

Snort rule header is malformed

Hey, these are the snort3-community-rules rules from https://www.snort.org/downloads/#rule-downloads

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"MALWARE-CNC HttpBrowser User-Agent outbound communication attmept"; flow:to_server,established; http_header:field user-agent; content:"HttpBrowser/1.0",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; gid:1; sid:42886; rev:4; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${",fast_pattern; content:"atlassian.",distance 0; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]?atlassian\x2e[^\x7d]?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59941; rev:3; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${"; content:"sun.misc.Unsafe",distance 0,fast_pattern; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]?sun\x2emisc\x2eUnsafe[^\x7d]?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59947; rev:1; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${"; content:"com.opensymphony.",distance 0,fast_pattern; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]?com\x2eopensymphony\x2e(xwork2|webwork)\x2e(Servlet)?ActionContext[^\x7d]?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59948; rev:1; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence remote code execution attempt"; flow:to_server,established; http_client_body; content:"bootstrapStatusProvider.applicationConfig.setupComplete",fast_pattern,nocase; content:"false",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2023-22515; reference:url,confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html; classtype:attempted-user; gid:1; sid:62506; rev:1; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence remote code execution attempt"; flow:to_server,established; http_uri; content:"bootstrapStatusProvider.applicationConfig.setupComplete=",fast_pattern,nocase; content:"false",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2023-22515; reference:url,confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html; classtype:attempted-user; gid:1; sid:62507; rev:1; )

Exception: Snort rule header is malformed ['alert', 'http']
alert http ( msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; http_raw_uri; content:"/vpns/",fast_pattern,nocase; pcre:"/vpn.?(\x2e|%(25)?2e){2}(\x2f|%(25)?2f).?vpns/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:300001; rev:1; )

Exception: Snort rule header is malformed ['alert', 'ssl']
alert ssl ( msg:"SERVER-OTHER OpenSSL x509 crafted email address buffer overflow attempt"; flow:established; content:"|06 03 55 1D 1E|"; ber_skip:0x01,optional; ber_data:0x04; ber_data:0x30; ber_data:0xa1; ber_data:0x30; content:"|81 82|",within 2; byte_test:2,>,500,0,relative; content:"xn--",within 4,distance 2,fast_pattern; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-3602; reference:cve,2022-3786; reference:url,blog.talosintelligence.com/openssl-vulnerability/; classtype:attempted-user; gid:1; sid:300306; rev:3; )

Exception: Snort rule header is malformed ['alert', 'ssl']
alert ssl ( msg:"SERVER-OTHER OpenSSL x509 crafted email address buffer overflow attempt"; flow:established; content:"|06 03 55 1D 1E|"; ber_skip:0x01,optional; ber_data:0x04; ber_data:0x30; ber_data:0xa0; ber_data:0x30; content:"|81 82|",within 2; byte_test:2,>,500,0,relative; content:"xn--",within 4,distance 2,fast_pattern; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-3602; reference:cve,2022-3786; reference:url,blog.talosintelligence.com/openssl-vulnerability/; classtype:attempted-user; gid:1; sid:300307; rev:3; )

No validation for single "any" in the rule.

Hi,

The code doesn't validate the following rule: alert tcp any xany -> any any (msg:"xyz"; sid:20000001; content:"xyz");

Snort's error for the above rule: Unable to process the IP address: xany
Snortparser: successfully validates it.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.