Tools to Work with 'Snort' Rules, Logs and Data
'Snort' is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. Tools are provided to work with 'Snort' rulesets, logs and other data associated with the platform. More information on 'Snort' can be found at https://www.snort.org/.
The following functions are implemented:
download_community_rules
: Download Snort community rulesdownload_subscription_rules
: Download Snort subscription rulesexpand_port_ranges
: Expand a Snort port descriptionread_rules
: Parse in a file of snort rules into a data frameread_extended
: Read a Snort "extended v2" log into a data framerule_vars
: Extract all the '$'-named variables from Snort rulesas_rule_df
: Helper to class a Snort rules data frame properlydevtools::install_github("hrbrmstr/porc")
options(width=120)
library(porc) library(tidyverse) # current verison packageVersion("porc")
rules <- read_rules(system.file("extdata", "emerging-telnet.rules", package="porc")) glimpse(rules) rule_vars(rules) glimpse(rules$options[[1]]) rules$options[[1]]
Let's slurp in all the Emerging Threats Snort feed rules.
Grabbed & unpacked from: https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz.
list.files("rules/emerging-rules", "\\.rules$", full.names=TRUE) %>% map_df(~{ cat(crayon::green(.x), "\n", sep="") x <- read_rules(.x) if (!is.null(x)) mutate(x, fil = .x) }) %>% as_rule_df()-> xdf
glimpse(xdf)
xdf
What are the most referenced URLs in Emerging Threats feed?
unnest(xdf) %>% filter(option == "reference") %>% filter(grepl("^url", value)) %>% select(value) %>% mutate(value = sub("^url,", "", value)) %>% count(value, sort=TRUE)
evt <- read_extended(system.file("extdata", "multi-record-event-x2.log", package="porc")) dplyr::glimpse(evt)
rng_ex <- c("25", "$HTTP_PORTS", "1024:", ":1024", "1:1024", "any") rng <- expand_port_ranges(rng_ex) str( setNames( list( rng[[1]], rng[[2]], range(as.numeric(rng[[3]])), range(as.numeric(rng[[4]])), range(as.numeric(rng[[5]])), rng[[6]] ), rng_ex ) )
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.