reyjrar/request-to-rule.pl

## request-to-rule.pl
#!/usr/bin/env perl

use strict;
use warnings;

use HTTP::Status;
use URI;

use Snort::Rule;

# POE Environment
use EV;
use POE qw(
	Component::Server::HTTP
);


#------------------------------------------------------------------------#
my $handler = POE::Session->create(
	inline_states => {
		_start => sub { $poe_kernel->alias_set( 'analysis' ); },
		_stop => sub  {},
		generate_rule => \&generate_rule,
		analyze_uri => \&analyze_uri,
	},
);
my $server = POE::Component::Server::HTTP->new(
	Port	=> 8000,
	ContentHandler => {
		'/'		=> \&request_handler,
	},
);

POE::Kernel->run();
#------------------------------------------------------------------------#
# Handle Request
sub request_handler {
	my ($request,$response) = @_;

	my $uri = URI->new( $request->uri );

	$poe_kernel->post( 'analysis' => generate_rule => $request );

	print "Attempted retrieval of: ", $uri->path, " on ", $uri->host, "\n";

	$response->code(RC_OK);
	$response->content_type('text/plain');
	$response->content('FYI, you attempted to access a URL that is known to be malicious.');

	return RC_OK;
}

#------------------------------------------------------------------------#
# Generate a Basic Snort Rule based on the URI
sub generate_rule {
	my ($kernel,$heap,$request) = @_[KERNEL,HEAP,ARG0];

	my $uri = URI->new( $request->uri );

	print "Generating Snort Rule .. \n";

	my $rule = Snort::Rule->new(
		-action		=> 'alert',
		-proto		=> 'tcp',
		-src		=> 'any',
		-sport		=> 'any',
		-dst		=> $uri->host,
		-dport		=> $uri->port,
	);

	# SID/Message
	$rule->opts( sid => time );
	$rule->opts( msg => 'SINKHOLE: Automatic for ' . $uri->as_string );

	# Method
	$rule->opts(content => $request->method);
	$rule->opts(http_method => '');

	# URI
	$rule->opts(content => $uri->path);
	$rule->opts(http_uri => '');

	print $rule->string, "\n";

}
	#!/usr/bin/env perl

	use strict;
	use warnings;

	use HTTP::Status;
	use URI;

	use Snort::Rule;

	# POE Environment
	use EV;
	use POE qw(
	Component::Server::HTTP
	);


	#------------------------------------------------------------------------#
	my $handler = POE::Session->create(
	inline_states => {
	_start => sub { $poe_kernel->alias_set( 'analysis' ); },
	_stop => sub {},
	generate_rule => \&generate_rule,
	analyze_uri => \&analyze_uri,
	},
	);
	my $server = POE::Component::Server::HTTP->new(
	Port => 8000,
	ContentHandler => {
	'/' => \&request_handler,
	},
	);

	POE::Kernel->run();
	#------------------------------------------------------------------------#
	# Handle Request
	sub request_handler {
	my ($request,$response) = @_;

	my $uri = URI->new( $request->uri );

	$poe_kernel->post( 'analysis' => generate_rule => $request );

	print "Attempted retrieval of: ", $uri->path, " on ", $uri->host, "\n";

	$response->code(RC_OK);
	$response->content_type('text/plain');
	$response->content('FYI, you attempted to access a URL that is known to be malicious.');

	return RC_OK;
	}

	#------------------------------------------------------------------------#
	# Generate a Basic Snort Rule based on the URI
	sub generate_rule {
	my ($kernel,$heap,$request) = @_[KERNEL,HEAP,ARG0];

	my $uri = URI->new( $request->uri );

	print "Generating Snort Rule .. \n";

	my $rule = Snort::Rule->new(
	-action => 'alert',
	-proto => 'tcp',
	-src => 'any',
	-sport => 'any',
	-dst => $uri->host,
	-dport => $uri->port,
	);

	# SID/Message
	$rule->opts( sid => time );
	$rule->opts( msg => 'SINKHOLE: Automatic for ' . $uri->as_string );

	# Method
	$rule->opts(content => $request->method);
	$rule->opts(http_method => '');

	# URI
	$rule->opts(content => $uri->path);
	$rule->opts(http_uri => '');

	print $rule->string, "\n";

	}