Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate Snort Signature from a HTTP Request
#!/usr/bin/env perl
use strict;
use warnings;
use HTTP::Status;
use URI;
use Snort::Rule;
# POE Environment
use EV;
use POE qw(
Component::Server::HTTP
);
#------------------------------------------------------------------------#
my $handler = POE::Session->create(
inline_states => {
_start => sub { $poe_kernel->alias_set( 'analysis' ); },
_stop => sub {},
generate_rule => \&generate_rule,
analyze_uri => \&analyze_uri,
},
);
my $server = POE::Component::Server::HTTP->new(
Port => 8000,
ContentHandler => {
'/' => \&request_handler,
},
);
POE::Kernel->run();
#------------------------------------------------------------------------#
# Handle Request
sub request_handler {
my ($request,$response) = @_;
my $uri = URI->new( $request->uri );
$poe_kernel->post( 'analysis' => generate_rule => $request );
print "Attempted retrieval of: ", $uri->path, " on ", $uri->host, "\n";
$response->code(RC_OK);
$response->content_type('text/plain');
$response->content('FYI, you attempted to access a URL that is known to be malicious.');
return RC_OK;
}
#------------------------------------------------------------------------#
# Generate a Basic Snort Rule based on the URI
sub generate_rule {
my ($kernel,$heap,$request) = @_[KERNEL,HEAP,ARG0];
my $uri = URI->new( $request->uri );
print "Generating Snort Rule .. \n";
my $rule = Snort::Rule->new(
-action => 'alert',
-proto => 'tcp',
-src => 'any',
-sport => 'any',
-dst => $uri->host,
-dport => $uri->port,
);
# SID/Message
$rule->opts( sid => time );
$rule->opts( msg => 'SINKHOLE: Automatic for ' . $uri->as_string );
# Method
$rule->opts(content => $request->method);
$rule->opts(http_method => '');
# URI
$rule->opts(content => $uri->path);
$rule->opts(http_uri => '');
print $rule->string, "\n";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.