In hrbrmstr/porc: Tools to Work with 'Snort' Rules, Logs and Data
porc
Tools to Work with 'Snort' Rules, Logs and Data
Description
'Snort' is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. Tools are provided to work with 'Snort' rulesets, logs and other data associated with the platform. More information on 'Snort' can be found at https://www.snort.org/.
What's Inside The Tin
The following functions are implemented:
download_community_rules: Download Snort community rulesdownload_subscription_rules: Download Snort subscription rulesexpand_port_ranges: Expand a Snort port descriptionread_rules: Parse in a file of snort rules into a data frameread_extended: Read a Snort "extended v2" log into a data framerule_vars: Extract all the '$'-named variables from Snort rulesas_rule_df: Helper to class a Snort rules data frame properly
Installation
devtools::install_github("hrbrmstr/porc")
options(width=120)
Usage
library(porc)
library(tidyverse)
# current verison
packageVersion("porc")
Basic rule reading
rules <- read_rules(system.file("extdata", "emerging-telnet.rules", package="porc"))
glimpse(rules)
rule_vars(rules)
glimpse(rules$options[[1]])
rules$options[[1]]
A slightly bigger example
Let's slurp in all the Emerging Threats Snort feed rules.
Grabbed & unpacked from: https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz.
list.files("rules/emerging-rules", "\\.rules$", full.names=TRUE) %>%
map_df(~{
cat(crayon::green(.x), "\n", sep="")
x <- read_rules(.x)
if (!is.null(x)) mutate(x, fil = .x)
}) %>% as_rule_df()-> xdf
glimpse(xdf)
xdf
What are the most referenced URLs in Emerging Threats feed?
unnest(xdf) %>%
filter(option == "reference") %>%
filter(grepl("^url", value)) %>%
select(value) %>%
mutate(value = sub("^url,", "", value)) %>%
count(value, sort=TRUE)
Extended v2 Reading
evt <- read_extended(system.file("extdata", "multi-record-event-x2.log", package="porc"))
dplyr::glimpse(evt)
Expanding Snort Port Ranges
rng_ex <- c("25", "$HTTP_PORTS", "1024:", ":1024", "1:1024", "any")
rng <- expand_port_ranges(rng_ex)
str(
setNames(
list(
rng[[1]],
rng[[2]],
range(as.numeric(rng[[3]])),
range(as.numeric(rng[[4]])),
range(as.numeric(rng[[5]])),
rng[[6]]
),
rng_ex
)
)
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
hrbrmstr/porc documentation built on May 28, 2019, 5:43 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
porc
Tools to Work with 'Snort' Rules, Logs and Data
Description
'Snort' is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. Tools are provided to work with 'Snort' rulesets, logs and other data associated with the platform. More information on 'Snort' can be found at https://www.snort.org/.
What's Inside The Tin
The following functions are implemented:
download_community_rules: Download Snort community rulesdownload_subscription_rules: Download Snort subscription rulesexpand_port_ranges: Expand a Snort port descriptionread_rules: Parse in a file of snort rules into a data frameread_extended: Read a Snort "extended v2" log into a data framerule_vars: Extract all the '$'-named variables from Snort rulesas_rule_df: Helper to class a Snort rules data frame properly
Installation
devtools::install_github("hrbrmstr/porc")
options(width=120)
Usage
library(porc) library(tidyverse) # current verison packageVersion("porc")
Basic rule reading
rules <- read_rules(system.file("extdata", "emerging-telnet.rules", package="porc")) glimpse(rules) rule_vars(rules) glimpse(rules$options[[1]]) rules$options[[1]]
A slightly bigger example
Let's slurp in all the Emerging Threats Snort feed rules.
Grabbed & unpacked from: https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz.
list.files("rules/emerging-rules", "\\.rules$", full.names=TRUE) %>% map_df(~{ cat(crayon::green(.x), "\n", sep="") x <- read_rules(.x) if (!is.null(x)) mutate(x, fil = .x) }) %>% as_rule_df()-> xdf
glimpse(xdf)
xdf
What are the most referenced URLs in Emerging Threats feed?
unnest(xdf) %>% filter(option == "reference") %>% filter(grepl("^url", value)) %>% select(value) %>% mutate(value = sub("^url,", "", value)) %>% count(value, sort=TRUE)
Extended v2 Reading
evt <- read_extended(system.file("extdata", "multi-record-event-x2.log", package="porc")) dplyr::glimpse(evt)
Expanding Snort Port Ranges
rng_ex <- c("25", "$HTTP_PORTS", "1024:", ":1024", "1:1024", "any") rng <- expand_port_ranges(rng_ex) str( setNames( list( rng[[1]], rng[[2]], range(as.numeric(rng[[3]])), range(as.numeric(rng[[4]])), range(as.numeric(rng[[5]])), rng[[6]] ), rng_ex ) )
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.