├── LICENSE
├── README.md
└── idsEventGenerator.cpp
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 | {one line to give the program's name and a brief idea of what it does.}
635 | Copyright (C) {year} {name of author}
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | {project} Copyright (C) {year} {fullname}
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | idsEventGenerator, a.k.a GENESIDS
2 |
3 | Reads rules written in a Snort like syntax (as of Snort 2.9.11) from a rule file, puts parsed rule content in a struct and (optionally) prints the rule.
4 | It than (optionally) constructs HTTP requests that are sent to the configured host (possibly a webserver) that trigger events on a listening IDS related to the parsed rules.
5 | "Snort like" means it accepts Snort rules, but does not require all fields of a Snort rule.
6 |
7 | For the moment it only converts hex characters in content patterns that are part of the first 128 readable ASCII characters.
8 | It only parses rules that use one of the following content modifiers: http\_\[method,uri,raw\_uri,stat\_msg,stat\_code,header,raw\header,client\_body,cookie,raw_cookie] or the equivalent modifiers for PCRE content and rules with the uricontent keyword.
9 | It ignores rules that are not triggering an alert or do not contain the 'content' or the 'pcre' or the 'uricontent' keyword or contain any other unsupported content related keyword.
10 |
11 | libcurl is needed for compilation.
12 | Build it by executing "g++ -std=c++11 -lcurl idsEventGenerator.cpp" (e.g. sudo apt-get install libcurl4-openssl-dev)
13 |
14 | For generating Strings out of PCREs it uses the python command exrex.
15 | Install it with the command "pip install exrex", this requires running python and pip environment are (e.g. sudo apt-get install python-pip)
16 |
17 | Run it by executing "./a.out -f \ -s \"
18 | or "./a.out -h" to see more options.
19 |
20 | For more options run "./a.out -h"
21 |
22 | ISSUES:
23 | -libcurl reports a timeout error if an HTTP HEAD request is sent although the request is sent and a response is received. BEWARE: The more likely cause for this error is that the Webserver at the given IP-address is not responding or down or IP is wrong.
24 | -If you see a python "Traceback" error in your stderr than it means that the exrex command hat problems parsing/generating/... the regex from the given rule.
25 |
26 | For more into depth info refer to the paper:
27 | "How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffic"
28 | Proceedings of ACM SIGCOMM 2018, Workshop on Traffic Measurements for Cybersecurity (WTMC 2018)
29 | http://www.ccs-labs.org/bib/erlacher2018genesids/
30 |
--------------------------------------------------------------------------------
/idsEventGenerator.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (C) 2017 Felix Erlacher
3 | *
4 | * This program is free software; you can redistribute it and/or
5 | * modify it under the terms of the GNU General Public License
6 | * as published by the Free Software Foundation; either version 3
7 | * of the License, or (at your option) any later version.
8 | *
9 | * This program is distributed in the hope that it will be useful,
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | * GNU General Public License for more details.
13 | *
14 | * You should have received a copy of the GNU General Public License
15 | * along with this program; if not, write to the Free Software
16 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 | *
18 | *
19 | * Reads Snort rules and puts interesting fields in a struct for further usage.
20 | * This is rather a READER than a parser, as it assumes a basic structure of rules and does not
21 | * do in-depth checks of structure.
22 | *
23 | * REMARKS:
24 | * -If hex chars are encountered (everything between two '|' signs) it is converted to ascii, but only if part of the first 128 ascii chars and only if printable
25 | * -Whitespace in content patterns with http_uri modifier is generally converted to the + sign, if you want %20 as whitespace than change it in the rule.
26 | */
27 |
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 | #include
34 | #include
35 | #include
36 | #include
37 | #include
38 | #include
39 |
40 | #define VECTORRESERVE 10
41 |
42 | class ruleBody{
43 | public:
44 | std::string msg;
45 | std::vector negatedContent;
46 | std::vector contentOriginal;
47 | std::vector containsHex;
48 | std::vector contentNocase;
49 | std::vector content;
50 | std::vector contentModifierHTTP;
51 | //content modifier are encoded for faster processing:
52 | //1:http_method
53 | //2:http_uri
54 | //3:http_raw_uri
55 | //4:http_stat_msg
56 | //5:http_stat_code
57 | std::vector pcre;
58 | std::vector negatedPcre;
59 | std::vector pcreNocase;
60 | std::string sid;
61 | std::string rev;
62 | };
63 |
64 | class ruleHeader {
65 | public:
66 | std::string action;
67 | std::string protocol;
68 | std::string from;
69 | std::string fromPort;
70 | bool bidirectional;
71 | std::string to;
72 | std::string toPort;
73 | };
74 |
75 | class snortRule {
76 | public:
77 | ruleHeader header;
78 | ruleBody body;
79 | };
80 |
81 |
82 |
83 | std::size_t bodyStartPosition;
84 | bool printResponse=false;
85 | bool continueOnError=false;
86 | bool verbose=false;
87 | int packetCounter=1;
88 |
89 | /**
90 | * writes error message to stderr
91 | */
92 | void parsingError(int line, std::string parsingPart){
93 | fprintf(stderr,"Error on line %d, failed to parse %s. This does not seem to be a valid Snort rule. Aborting!\n",line, parsingPart.c_str());
94 | }
95 |
96 | /**
97 | * counts single rule fields (-->content vectors size) and checks if numbers match
98 | * if this check fails something went terribly wrong while parsing!!!
99 | */
100 | void plausabilityCheck(snortRule* rule, int *linenumber){
101 | //plausability checks:
102 | if(rule->body.content.size()==0&&rule->body.pcre.size()==0){
103 | fprintf(stderr,"SnortRuleParser: There was an error in rule parsing: After parsing, rule with sid %s does not contain any content or pcre to check for. This should not have happened. Aborting!\n",rule->body.sid.c_str());
104 | if(continueOnError==false){
105 | exit(1);
106 | }
107 | }
108 | if(rule->body.content.size()!=rule->body.contentOriginal.size()
109 | ||rule->body.content.size()!=rule->body.negatedContent.size()
110 | ||rule->body.content.size()!=rule->body.containsHex.size()
111 | //the pcre http modifiers are written into the contentModifierHTTP
112 | ||(rule->body.content.size()+rule->body.pcre.size())!=rule->body.contentModifierHTTP.size()
113 | ||rule->body.content.size()!=rule->body.contentNocase.size()
114 | ||rule->body.negatedPcre.size()!=rule->body.pcre.size()
115 | ||rule->body.pcreNocase.size()!=rule->body.pcre.size()){
116 | fprintf(stderr,"\n\nThere was an Error in rule parsing at line %d, parsed content vectors do not match in size. This should not have happened. Aborting!\n",*linenumber);
117 | fprintf(stderr,"content: %lu, contentOriginal: %lu, pcre: %lu, negatedPcre: %lu, pcreNocase: %lu, negatedContent: %lu, containsHex: %lu, ContentModifierHttp: %lu\n",rule->body.content.size(),rule->body.contentOriginal.size(),rule->body.pcre.size(),rule->body.negatedPcre.size(),rule->body.pcreNocase.size(),rule->body.negatedContent.size(),rule->body.containsHex.size(),rule->body.contentModifierHTTP.size());
118 | if(continueOnError==false){
119 | exit(1);
120 | }
121 | }
122 | }
123 |
124 | /**
125 | *prints snortRule struct to stdout
126 | */
127 | void printSnortRule(snortRule* rule){
128 | std::string modifierHttp;
129 |
130 | //is already done in main(), so basically superfluous. But for some cases (mass checks) I might comment it there, so a "backup" here.
131 | int dummyInt=-1;
132 | plausabilityCheck(rule, &dummyInt);
133 |
134 | fprintf(stdout,"Action:\t\t\t\t%s\n",rule->header.action.c_str());
135 | fprintf(stdout,"Protocol:\t\t\t%s\n",rule->header.protocol.c_str());
136 | fprintf(stdout,"From:\t\t\t\t\"%s\"\n",rule->header.from.c_str());
137 | fprintf(stdout,"FromPort:\t\t\t\"%s\"\n",rule->header.fromPort.c_str());
138 | fprintf(stdout,"To:\t\t\t\t\"%s\"\n",rule->header.to.c_str());
139 | fprintf(stdout,"ToPort:\t\t\t\t\"%s\"\n",rule->header.toPort.c_str());
140 | if(rule->header.bidirectional){
141 | fprintf(stdout,"Direction:\t\t\t<>\n");
142 | }else{
143 | fprintf(stdout,"Direction:\t\t\t->\n");
144 | }
145 |
146 | fprintf(stdout,"Message:\t\t\t%s\n",rule->body.msg.c_str());
147 |
148 | //loop through content related vectors
149 | for(unsigned long i=0;ibody.content.size();i++){
150 | if(rule->body.negatedContent.at(i)==true){
151 | fprintf(stdout,"NOT ");
152 | }
153 | //fprintf(stdout,"ContentOriginal:\t%s\n",rule->body.contentOriginal[i].c_str());
154 | if(rule->body.containsHex.at(i)==true){
155 | fprintf(stdout,"Content (hex converted):\t%s\n",rule->body.content.at(i).c_str());
156 | }else{
157 | fprintf(stdout,"Content:\t\t\t\"%s\"\n",rule->body.content.at(i).c_str());
158 | }
159 | switch(rule->body.contentModifierHTTP.at(i)){
160 | case 0: modifierHttp=""; break;
161 | case 1: modifierHttp="http_method"; break;
162 | case 2: modifierHttp="http_uri"; break;
163 | case 3: modifierHttp="http_raw_uri"; break;
164 | case 4: modifierHttp="http_stat_msg"; break;
165 | case 5: modifierHttp="http_stat_code"; break;
166 | case 6: modifierHttp="http_header"; break;
167 | case 7: modifierHttp="http_raw_header"; break;
168 | case 8: modifierHttp="http_client_body"; break;
169 | case 9: modifierHttp="http_cookie"; break;
170 | case 10: modifierHttp="http_raw_cookie"; break;
171 | default: fprintf(stderr,"IpfixIds: Wrong internal content modifier HTTP encoding. Aborting!\n"); exit(0);
172 | }
173 | fprintf(stdout,"ContentModifierHttp:\t\t%s\n",modifierHttp.c_str());
174 | if(rule->body.contentNocase[i]==true){
175 | fprintf(stdout,"Nocase:\t\t\t\ttrue\n");
176 | }else{
177 | fprintf(stdout,"Nocase:\t\t\t\tfalse\n");
178 | }
179 | }
180 |
181 | //loop through pcre related vectors
182 | for(unsigned long j=0;jbody.pcre.size();j++){
183 | if(rule->body.negatedPcre.at(j)==true){
184 | fprintf(stdout,"NOT ");
185 | }
186 | fprintf(stdout,"pcre:\t\t\t\t%s\n",rule->body.pcre.at(j).c_str());
187 | switch(rule->body.contentModifierHTTP.at(j+(rule->body.content.size()))){
188 | case 0: modifierHttp=""; break;
189 | case 1: modifierHttp="http_method"; break;
190 | case 2: modifierHttp="http_uri"; break;
191 | case 3: modifierHttp="http_raw_uri"; break;
192 | case 4: modifierHttp="http_stat_msg"; break;
193 | case 5: modifierHttp="http_stat_code"; break;
194 | case 6: modifierHttp="http_header"; break;
195 | case 7: modifierHttp="http_raw_header"; break;
196 | case 8: modifierHttp="http_client_body"; break;
197 | case 9: modifierHttp="http_cookie"; break;
198 | case 10: modifierHttp="http_raw_cookie"; break;
199 | default: fprintf(stderr,"IpfixIds: Wrong internal pcre content modifier HTTP encoding. Aborting!\n"); exit(0);
200 | }
201 | fprintf(stdout,"pcreModifierHttp:\t\t%s\n",modifierHttp.c_str());
202 | if(rule->body.pcreNocase[j]==true){
203 | fprintf(stdout,"NocasePcre:\t\t\ttrue\n");
204 | }else{
205 | fprintf(stdout,"NocasePcre:\t\t\tfalse\n");
206 | }
207 |
208 | }
209 |
210 | fprintf(stdout,"sid:\t\t\t\t%s\n",rule->body.sid.c_str());
211 | fprintf(stdout,"sid rev:\t\t\t%s\n",rule->body.rev.c_str());
212 | fprintf(stdout,"\n");
213 | }
214 |
215 | /**
216 | * returns a string of x Xs
217 | */
218 | std::string xtimesx(int x){
219 | std::string returnString="";
220 | for(int i=0;ifind("msg:",0)+4;
290 | std::size_t endPosition=line->find(";",startPosition);
291 | if(startPosition==(std::string::npos+4)||endPosition==std::string::npos){
292 | parsingError(*linecounter,"msg");
293 | exit(1);
294 | }
295 | tempRule->body.msg=line->substr(startPosition+1,(endPosition-startPosition)-2);
296 | }
297 |
298 | /**
299 | *parses the rule header from given line and writes it to given snortRule class
300 | */
301 | void parseHeader(std::string* line, int* linecounter, snortRule* tempRule){
302 | std::string headerString;
303 | std::string from;
304 | std::string fromPort;
305 | std::string to;
306 | std::size_t start;
307 | std::size_t end;
308 |
309 | start=line->find("(");
310 | if(start==std::string::npos){
311 | parsingError(*linecounter, "header");
312 | }
313 | headerString=line->substr(0,start);
314 | end=headerString.find(" ");
315 | tempRule->header.action=headerString.substr(0,end);
316 | headerString.erase(0,end+1);
317 |
318 | //TODO: skip rule if it does not apply to tcp... not really necessary
319 | end=headerString.find(" ");
320 | tempRule->header.protocol=headerString.substr(0,end);
321 | headerString.erase(0,end+1);
322 |
323 | end=headerString.find("<>");
324 | if(end==std::string::npos){
325 | end=headerString.find("->");
326 | if(end==std::string::npos){
327 | parsingError(*linecounter,"header direction sign");
328 | }
329 | tempRule->header.bidirectional=false;
330 | }else{
331 | tempRule->header.bidirectional=true;
332 | }
333 |
334 | //the end-1 omits the trailing space in this string
335 | from=headerString.substr(0,end-1);
336 | headerString.erase(0,end+3);
337 | to=headerString.substr(0,headerString.size()-1);
338 |
339 | end=from.find(" ");
340 | if(end==std::string::npos){
341 | parsingError(*linecounter,"no space between from address and port");
342 | }
343 | tempRule->header.from=from.substr(0,end);
344 | from.erase(0,end+1);
345 | fromPort=from.substr(0,from.size());
346 | //this only catches if the default variable is used, but thats life...
347 | if(fromPort.find("$HTTP_PORTS")!=std::string::npos){
348 | fprintf(stderr,"Error: Rule looks for packet coming from server ports ($HTTP_PORTS variable). Can not control server responses, please remove this rule. Line: %d\n",*linecounter);
349 | if(continueOnError==false){
350 | exit(1);
351 | }
352 | }
353 | tempRule->header.fromPort=fromPort;
354 |
355 | end=to.find(" ");
356 | if(end==std::string::npos){
357 | parsingError(*linecounter,"no space between to address and port");
358 | }
359 | tempRule->header.to=to.substr(0,end);
360 | to.erase(0,end+1);
361 | tempRule->header.toPort=to.substr(0,to.size());
362 | }
363 |
364 | /**
365 | * parses rule content (also multiple contents) from given line and writes it to given tempRule class in the corresponding vector of contents,
366 | * it also converts hex characters to ascii characters, if possible, if not it omits them in the output content
367 | */
368 | void parseContent(std::string* line, int* linecounter, snortRule* tempRule){
369 | std::size_t startPosition;
370 | std::size_t endPosition;
371 | std::size_t hexStartPosition;
372 | std::size_t hexEndPosition=0;
373 | std::string hexContent;
374 | std::string contentOrig;
375 | std::string contentHexFree;
376 | std::string tempContent;
377 | std::string byte;
378 | //we have to copy the line because we are messing around with it
379 | std::string lineCopy=*line;
380 | //this string is the same as line copy, only quotet text is replaces by X. length is the same!
381 | std::string lineCopySearch=replaceQuotedText(&lineCopy);
382 | char tempChar;
383 | std::size_t tempPosition;
384 | int contentCounter=0;
385 |
386 | //on the first check there should definitively be at least one content
387 | startPosition=lineCopySearch.find("content:",bodyStartPosition)+8;
388 | endPosition=lineCopySearch.find(";",startPosition);
389 | if(startPosition==(std::string::npos+8)||endPosition==std::string::npos){
390 | parsingError(*linecounter,"content");
391 | exit(1);
392 | }
393 |
394 | //loop to detect multiple content keywords, same check as above is repeated, will be true first time for sure, but we dont want to call parsingError the other times
395 | while(startPosition!=(std::string::npos+8)&&endPosition!=std::string::npos){
396 | contentHexFree="";
397 | //check if content is negated BWARE: than also modifiers are negated!!!
398 | if(lineCopy.substr(startPosition,1)=="!"){
399 | tempRule->body.negatedContent.push_back(true);
400 | //cut away negation sign
401 | lineCopy.erase(startPosition,1);
402 | lineCopySearch.erase(startPosition,1);
403 | //because we erase one character, the endPosition moves back on char
404 | endPosition--;
405 | }else{
406 | tempRule->body.negatedContent.push_back(false);
407 | }
408 |
409 | //we dont have to check for uricontent here because we can take care the same way we do for content. we have to take special care in parseContentModifier
410 |
411 | contentOrig=lineCopy.substr(startPosition,(endPosition-startPosition));
412 | //cut away quotes
413 | contentOrig=contentOrig.substr(1,(contentOrig.size()-2));
414 |
415 | //for debug and functionality check purposes write original content
416 | tempRule->body.contentOriginal.push_back(contentOrig);
417 | //check if it contains hex
418 | hexStartPosition=contentOrig.find("|");
419 |
420 | //is checked again below, but necessery here too
421 | if(hexStartPosition!=std::string::npos||contentOrig.find("|",hexStartPosition+1)!=std::string::npos){
422 | tempRule->body.containsHex.push_back(1);
423 | //if it contains hex than add hexfree content before hex content to contentHexFree
424 | contentHexFree=contentHexFree+contentOrig.substr(0,hexStartPosition);
425 | }else{
426 | tempRule->body.containsHex.push_back(0);
427 | //if it does not contain hex at all add it now to hex free content
428 | contentHexFree=contentHexFree+contentOrig;
429 | }
430 | //find all hex codes and convert them to ascii
431 | while(hexStartPosition!=std::string::npos){
432 | hexEndPosition=contentOrig.find("|",hexStartPosition+1);
433 | if(hexEndPosition==std::string::npos){
434 | fprintf(stdout,"Debug: content no hex=\t\t%s\nalready converted content:\t%s\n",contentOrig.c_str(),contentHexFree.c_str());
435 | parsingError(*linecounter,"hex content (no termination sign)");
436 | exit(1);
437 | }
438 | //copying hex string and cutting off first pipe sign
439 | hexContent=contentOrig.substr(hexStartPosition+1,(hexEndPosition-hexStartPosition)-1);
440 | //remove spaces from hex string
441 | tempPosition=hexContent.find(" ");
442 | while(tempPosition!=std::string::npos){
443 | hexContent.erase(tempPosition,1);
444 | tempPosition=hexContent.find(" ",tempPosition);
445 | }
446 |
447 | std::string asciiString;
448 | //transform hex to ascii loop, as it always consumes two chars we have to move over two chars after every loop
449 | //todo ev. convert line break/line feed hex codes to OS specific signs, convert more than 128 ascii signs
450 | for (uint16_t i=0;i<(hexContent.length());i=i+2){
451 | char * pEnd;
452 | byte = hexContent.substr(i,2);
453 | if(byte=="0d"||byte=="0D"){
454 | asciiString=asciiString+"\\r";
455 | }else if(byte=="0a"||byte=="0A"){
456 | asciiString=asciiString+"\\n";
457 | }else{
458 | tempChar=(char) (int)strtol(byte.c_str(), &pEnd, 16);
459 | if(isprint(tempChar)){
460 | asciiString.push_back(tempChar);
461 | }else{//warn if not printable
462 | fprintf(stderr,"WARNING: non-printable hex chars (except 0d and 0a) and hex > 7F are not supported and thus omitted. Hex: %s, rule sid: %s, line:%d\n",byte.c_str(), tempRule->body.sid.c_str(), *linecounter);
463 | }
464 | }
465 | }
466 | //adding converted string to content
467 | contentHexFree=contentHexFree+asciiString;
468 | //content now does not contain previous hex anymore, but may contain pipe sign if converted from hex
469 | hexStartPosition=contentOrig.find("|",hexEndPosition+1);
470 | //if more hex, than get content in between last and next hex string
471 | if(hexStartPosition!=std::string::npos){
472 | contentHexFree=contentHexFree+contentOrig.substr(hexEndPosition+1,hexStartPosition-hexEndPosition-1);
473 | //if this was last hex (and here we had at least one hex string) add possible tailing hex free string to content
474 | }else{
475 | contentHexFree=contentHexFree+contentOrig.substr(hexEndPosition+1,contentOrig.size()-hexEndPosition+1);
476 | }
477 | }//while hex loop
478 | //add the summed up content to the rule class
479 | tempRule->body.content.push_back(contentHexFree);
480 | //erase content keyword, so that loop can find next content keyword or break
481 | lineCopy.erase(startPosition-8,8);
482 | //to keep same length do the same for search string
483 | lineCopySearch.erase(startPosition-8,8);
484 | startPosition=lineCopySearch.find("content:",bodyStartPosition)+8;
485 | endPosition=lineCopySearch.find(";",startPosition);
486 | contentCounter++;
487 | }//while content loop
488 | }
489 |
490 | /**
491 | * parses content modifiers from given line and writes it to given tempRule class in the corresponding vector
492 | * Only nocase and http_* content modifier are supported. rawbytes, depth, offset, distance, within, fast_pattern are ignored by the parser.
493 | */
494 | void parseContentModifier(std::string* line, int* linecounter, snortRule* tempRule){
495 | bool uricontent=false;
496 | std::size_t startPosition;
497 | std::size_t endPosition;
498 | std::size_t contentEndPosition;
499 | std::size_t httpModifierStartPosition;
500 | std::size_t httpModifierEndPosition;
501 | std::string temp;
502 | std::string allModifiers;
503 | //we have to copy the line because we are messing around with it
504 | std::string lineCopy=*line;
505 | //this string is the same as lineCopy, only quoted text is replaces by X. length is the same. this way, searches dont trigger falsely on content found in quotes
506 | std::string lineCopySearch=replaceQuotedText(&lineCopy);
507 |
508 | //on the first check there should definitively be at least one content
509 | startPosition=lineCopySearch.find("content:",bodyStartPosition)+8;
510 | endPosition=lineCopySearch.find("content:",startPosition);
511 | //for last content in rule the end is marked by the closing bracket of the rule body
512 | if(endPosition==std::string::npos){
513 | //do we have a +1 error here because of semicolon AND parentheses? No, because rule requires sid and rev keywords, and they are placed after modifiers
514 | endPosition=(lineCopySearch.find(";)",startPosition));
515 | }
516 |
517 | if(startPosition==(std::string::npos+8)||endPosition==std::string::npos){
518 | parsingError(*linecounter,"content (modifier)");
519 | exit(1);
520 | }
521 |
522 | //loop to detect multiple content keywords, same check as above is repeated, will be true first time for sure, but we dont want to call parsingError the other times
523 | while(startPosition!=(std::string::npos+8)&&endPosition!=std::string::npos){
524 | temp=lineCopy.substr(startPosition,endPosition-startPosition);
525 | allModifiers=replaceEscapedChars(&temp);
526 | contentEndPosition=allModifiers.find(";");
527 | if(startPosition==(std::string::npos+8)||endPosition==std::string::npos){
528 | parsingError(*linecounter,"content (modifier), content string end position");
529 | exit(1);
530 | }
531 |
532 | //check if its the uricontent keyword:
533 | if(lineCopy.substr(startPosition-11,3)=="uri"){
534 | uricontent=true;
535 | }
536 |
537 | //erase content keyword and content pattern
538 | allModifiers.erase(0,contentEndPosition+1);
539 |
540 | //see if it contains the nocase modifier
541 | if(allModifiers.find("nocase;")==std::string::npos){
542 | tempRule->body.contentNocase.push_back(false);
543 | }else{
544 | tempRule->body.contentNocase.push_back(true);
545 | }
546 |
547 |
548 | if(uricontent){
549 | tempRule->body.contentModifierHTTP.push_back(2);
550 | }else{
551 | //find http content modifier:
552 | httpModifierStartPosition=allModifiers.find("http_");
553 | if(httpModifierStartPosition==std::string::npos){
554 | tempRule->body.contentModifierHTTP.push_back(0);
555 | }else{
556 | httpModifierEndPosition=allModifiers.find(";",httpModifierStartPosition);
557 | if(httpModifierEndPosition==std::string::npos){
558 | parsingError(*linecounter,"content (modifier), content httpModifier end position");
559 | }
560 | temp=allModifiers.substr(httpModifierStartPosition,(httpModifierEndPosition-httpModifierStartPosition));
561 | if(temp=="http_method"){
562 | tempRule->body.contentModifierHTTP.push_back(1);
563 | }else if(temp=="http_uri"){
564 | tempRule->body.contentModifierHTTP.push_back(2);
565 | //replace whitespaces in content patterns for http uris
566 | //printf("uri detected, replacing:\n");
567 | //temp=tempRule->body.content[tempRule->body.contentModifierHTTP.size()-1];
568 | //printf("uri detected, replacing:\n");
569 | for(int i = 0; i < tempRule->body.content.at(tempRule->body.contentModifierHTTP.size()-1).length(); i++)
570 | {
571 | if(tempRule->body.content.at(tempRule->body.contentModifierHTTP.size()-1).at(i)== ' '){
572 | tempRule->body.content.at(tempRule->body.contentModifierHTTP.size()-1).at(i) = '+';
573 | }
574 | }
575 | //tempRule->body.content.at(tempRule->body.contentModifierHTTP.size()-1)=temp;
576 | }else if(temp=="http_raw_uri"){
577 | tempRule->body.contentModifierHTTP.push_back(3);
578 | }else if(temp=="http_stat_msg"){
579 | //fprintf(stderr,"SnortRuleparser: content modifier http_stat_msg not supported in this version\n"); //just uncomment lines to support it
580 | tempRule->body.contentModifierHTTP.push_back(4);
581 | }else if(temp=="http_stat_code"){
582 | tempRule->body.contentModifierHTTP.push_back(5);
583 | }else if(temp=="http_header"){//BEWARE: this is not supported in Vermont because no IPFIX IE for http header exists
584 | tempRule->body.contentModifierHTTP.push_back(6);
585 | }else if(temp=="http_raw_header"){//BEWARE: this is not supported in Vermont because no IPFIX IE for http header exists
586 | tempRule->body.contentModifierHTTP.push_back(7);
587 | }else if(temp=="http_client_body"){//BEWARE: this is not supported in Vermont because no IPFIX IE for http header exists
588 | tempRule->body.contentModifierHTTP.push_back(8);
589 | }else if(temp=="http_cookie"){//BEWARE: this is not supported in Vermont because no IPFIX IE for http header exists
590 | tempRule->body.contentModifierHTTP.push_back(9);
591 | }else if(temp=="http_raw_cookie"){//BEWARE: this is not supported in Vermont because no IPFIX IE for http header exists
592 | tempRule->body.contentModifierHTTP.push_back(10);
593 | }else{
594 | parsingError(*linecounter,"unrecognized content modifier");
595 | }
596 | }
597 | }//if uricontent
598 | //erase content keyword and content string, so that next content can be found
599 | lineCopy.erase(startPosition-8,+8);
600 | lineCopySearch.erase(startPosition-8,+8);
601 |
602 | startPosition=lineCopySearch.find("content:",bodyStartPosition)+8;
603 | endPosition=lineCopySearch.find("content:",startPosition);
604 | //for last content in rule, the end is marked by the closing bracket of the rule body
605 | if(endPosition==std::string::npos){
606 | endPosition=(lineCopy.find(";)",startPosition))+1;
607 | }
608 | }//while
609 | }
610 | /**
611 | * check given uri for disallowed and unwise characters see rfc-2396
612 | * print warning if true
613 | */
614 | void checkUri(std::string uri, std::string sid){
615 | //delimiters
616 | if(uri.find("#")!=std::string::npos||uri.find(">")!=std::string::npos||uri.find("<")!=std::string::npos||uri.find("%")!=std::string::npos||uri.find("\"")!=std::string::npos){
617 | //TODO: check if they are escaped
618 | fprintf(stderr,"WARNING: The HTTP uri used for this rule may contain disallowed characters. sid: %s\n",sid.c_str());
619 | }
620 | //unwise
621 | if(uri.find("{")!=std::string::npos||uri.find("}")!=std::string::npos||uri.find("|")!=std::string::npos||uri.find("[")!=std::string::npos||uri.find("]")!=std::string::npos||uri.find("`")!=std::string::npos||uri.find("\\")!=std::string::npos){
622 | fprintf(stderr,"WARNING: The HTTP uri used for this rule may contain unwise characters. sid: %s\n",sid.c_str());
623 | }
624 | }
625 | /**
626 | * parses pcre patterns in given line and writes it to given tempRule class in the corresponding vectors
627 | */
628 | void parsePcre(std::string* line, int* linecounter, snortRule* tempRule){
629 | std::size_t startPosition;
630 | std::size_t endPosition;
631 | std::size_t iPosition;
632 | //we have to copy the line because we are messing around with it
633 | std::string lineCopy=*line;
634 | //this string is the same as line copy, only quoted text is replaces by X. length is the same!
635 | std::string lineCopySearch=replaceQuotedText(&lineCopy);
636 | std::string pcreModifierString;
637 | std::string pcreString;
638 | std::string temp;
639 |
640 | //on the first check there should definitively be at least one pcre
641 | startPosition=lineCopySearch.find("pcre:",bodyStartPosition)+5;
642 | endPosition=lineCopySearch.find(";",startPosition);
643 | //if not throw an error
644 | if(startPosition==(std::string::npos+5)||endPosition==std::string::npos){
645 | parsingError(*linecounter,"pcre");
646 | exit(1);
647 | }
648 |
649 | //loop to detect multiple pcre keywords, same check as above is repeated, will be true first time for sure, but we dont want to call parsingError the other times
650 | while(startPosition!=(std::string::npos+5)&&endPosition!=std::string::npos){
651 | if(lineCopy.substr(startPosition,1)=="!"){
652 | tempRule->body.negatedPcre.push_back(true);
653 | //erase negation sign
654 | lineCopy.erase(startPosition,1);
655 | lineCopySearch.erase(startPosition,1);
656 | //adjust endPosition
657 | endPosition--;
658 | }else{
659 | tempRule->body.negatedPcre.push_back(false);
660 | }
661 | //copying pcre string (+snort specific modifiers) and cutting off quotes
662 | temp=lineCopy.substr(startPosition+1,endPosition-startPosition-2);
663 |
664 | //avoid any escaped chars by simply looking for the last occurence of / in the (not anymore) quoted pcre string
665 | endPosition=temp.find_last_of("/");
666 | pcreString=temp.substr(1,endPosition-1);
667 | tempRule->body.pcre.push_back(pcreString);
668 |
669 | //getting pcre modifiers
670 | pcreModifierString=temp.substr(endPosition+1,temp.length()-endPosition);
671 |
672 | //detailed handling of single pcre modifiers
673 | iPosition=pcreModifierString.find("i");
674 | if(iPosition!=std::string::npos){
675 | tempRule->body.pcreNocase.push_back(true);
676 | pcreModifierString.erase(iPosition,1);
677 | }else{
678 | tempRule->body.pcreNocase.push_back(false);
679 | }
680 |
681 | //if no modifiers left, no http modifier, so useless:
682 | if(pcreModifierString.size()==0){
683 | fprintf(stderr,"Error with rule sid:%s on line %d, failed to parse pcre modifier: No http modifier for pcre, we need at least one\n",tempRule->body.sid.c_str(),*linecounter);
684 | if(continueOnError==false){
685 | exit(1);
686 | }
687 | }
688 |
689 | if(pcreModifierString.find("s")!=std::string::npos||pcreModifierString.find("m")!=std::string::npos||pcreModifierString.find("x")!=std::string::npos
690 | ||pcreModifierString.find("A")!=std::string::npos||pcreModifierString.find("E")!=std::string::npos
691 | ||pcreModifierString.find("G")!=std::string::npos||pcreModifierString.find("R")!=std::string::npos
692 | ||pcreModifierString.find("B")!=std::string::npos||pcreModifierString.find("O")!=std::string::npos){
693 | fprintf(stderr,"Error with rule sid:%s on line %d, failed to parse pcre modifier: The Snort specific (non HTTP) pcre modifiers s,m,x,A,E,G,R,B,O are not supported.\n",tempRule->body.sid.c_str(),*linecounter);
694 | if(continueOnError==false){
695 | exit(1);
696 | }
697 | }
698 | for(std::string::size_type k = 0; k < pcreModifierString.size(); ++k) {
699 | switch(pcreModifierString[k]){
700 | case 'P'://client body
701 | tempRule->body.contentModifierHTTP.push_back(8);
702 | break;
703 | case 'H'://http header 6
704 | tempRule->body.contentModifierHTTP.push_back(6);
705 | break;
706 | case 'D'://raw_header 7
707 | tempRule->body.contentModifierHTTP.push_back(7);
708 | break;
709 | case 'C'://cookie 9
710 | tempRule->body.contentModifierHTTP.push_back(9);
711 | break;
712 | case 'K'://raw cookie 19
713 | tempRule->body.contentModifierHTTP.push_back(10);
714 | break;
715 | case 'U'://uri
716 | //TODO: it would make sense to check already here for unescaped unsupported or unwise chars, on the other hand snort does accept most of them anyway
717 | tempRule->body.contentModifierHTTP.push_back(2);
718 | break;
719 | case 'I'://raw uri
720 | //checkUriPCRE(pcreString);
721 | tempRule->body.contentModifierHTTP.push_back(3);
722 | break;
723 | case 'M'://method
724 | tempRule->body.contentModifierHTTP.push_back(1);
725 | break;
726 | case 'S'://response code
727 | tempRule->body.contentModifierHTTP.push_back(5);
728 | break;
729 | case 'Y'://response message
730 | tempRule->body.contentModifierHTTP.push_back(4);
731 | break;
732 | default:
733 | fprintf(stderr,"Error with rule sid:%s on line %d, failed to parse pcre modifier: There was an uncaught, unsupported snort specific modifier. This should not have happened!\n",tempRule->body.sid.c_str(),*linecounter);
734 | if(continueOnError==false){
735 | exit(1);
736 | }
737 | }
738 | }
739 |
740 | //printf("%s\n",temp.c_str());
741 | //printf("%s\n",pcreString.c_str());
742 | //printf("%s\n",pcreModifierString.c_str());
743 |
744 | //erase pcre keyword from line so that we can move on to next line
745 | lineCopy.erase(startPosition-5,5);
746 | lineCopySearch.erase(startPosition-5,5);
747 | startPosition=lineCopySearch.find("pcre:",bodyStartPosition)+5;
748 | endPosition=lineCopySearch.find(";",startPosition);
749 | }
750 |
751 | }
752 | /**
753 | * parses SID and SID rev. number from given line and writes it to given snortRule struct
754 | */
755 | void parseSid(std::string* line, int* linecounter, snortRule* tempRule){
756 | std::string lineCopy=replaceQuotedText(line);
757 | std::size_t startPosition=lineCopy.find("sid:",bodyStartPosition)+4;
758 | std::size_t endPosition=lineCopy.find(';',startPosition);
759 | if(startPosition==3||endPosition==std::string::npos){
760 | parsingError(*linecounter,"SID");
761 | exit(1);
762 | }
763 | tempRule->body.sid=lineCopy.substr(startPosition,(endPosition-startPosition));
764 |
765 | //parse rev following SID
766 | startPosition=lineCopy.find("rev:",startPosition)+4;
767 | endPosition=lineCopy.find(';',startPosition);
768 | if(startPosition==3||endPosition==std::string::npos){
769 | parsingError(*linecounter,"SID revision");
770 | exit(1);
771 | }
772 | tempRule->body.rev=lineCopy.substr(startPosition,(endPosition-startPosition));
773 | }
774 |
775 | /*
776 | *Function that is used to handle return data from sent requests
777 | */
778 | size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp){
779 |
780 | //ev. print response which resides in buffer
781 | if(printResponse){
782 | }
783 | return size*nmemb;
784 | }
785 |
786 | /**
787 | * removes \r and \n at beginning and end of strings
788 | */
789 | std::string removeCRLF(std::string str, std::string ruleSid){
790 | if(str.size()==0){
791 | fprintf(stderr,"Error, can not sanitize empty Header for rulesid:%s. Likely, this rule produced an empty pcre string, check pcre.\n",ruleSid.c_str());
792 | if(continueOnError==false){
793 | exit(0);
794 | }
795 | }
796 | //remove all \r and \n at end, libcurl will add them anyway
797 | while((str.at(str.size()-1)=='n'&&str.at(str.size()-2)=='\\')||(str.at(str.size()-1)=='r'&&str.at(str.size()-2)=='\\')){
798 | str.pop_back();
799 | str.pop_back();
800 | }
801 | //snort rules also search for \r\n at beginning of some fields, remove them too:
802 | while((str.at(0)=='\\'&&str.at(1)=='r')||(str.at(0)=='\\'&&str.at(1)=='n')){
803 | str.erase(0,2);
804 | }
805 | if(str==""){
806 | fprintf(stderr,"WARNING: Empty String after removing initial and trailing newlines. sid: %s\n",str.c_str());
807 | }
808 | return str;
809 | }
810 |
811 |
812 | /**
813 | * 2 steps:
814 | * 1:remove excess \r\n at end and beginning. libcurl adds a \r\n anyway, so we have to remove them.
815 | * 2:if colon OR colon+whitespace at end of header are found a value is added.
816 | * WHY?: if a header without a value is set, curl assumes you want to remove the original header, so we have to set a value after colon or colon and space:
817 | */
818 | std::string sanitizeHeader(std::string header, std::string ruleSid){
819 | if(header.size()==0){
820 | fprintf(stderr,"Error, can not sanitize empty Header for rulesid:%s. Likely, this rule produced an empty pcre string, check pcre.\n",ruleSid.c_str());
821 | if(continueOnError==false){
822 | exit(0);
823 | }
824 | }else{
825 | header=removeCRLF(header,ruleSid);
826 | //add dummystuff if missing
827 | if(header.at(header.size()-1)==':'){
828 | header=header+" DummyValue";
829 | if(verbose){
830 | printf("INFO: added dummy value to incomplete name: value header. sid:%s\n",ruleSid.c_str());
831 | }
832 | }else if(header.at(header.size()-1)==' '&&header.at(header.size()-2)==':'){
833 | header=header+"DummyValue";
834 | if(verbose){
835 | printf("INFO: added dummy value to incomplete name: value header. sid:%s\n",ruleSid.c_str());
836 | }
837 | }else if(header.find(':')==std::string::npos){
838 | header="DummyHeader: "+header;
839 | if(verbose){
840 | printf("INFO: added dummy value to incomplete name: value header. sid:%s\n",ruleSid.c_str());
841 | }
842 | }
843 |
844 | }
845 | if(header==""){
846 | fprintf(stderr,"WARNING: Empty header after sanitazion. sid: %s\n",ruleSid.c_str());
847 | }
848 | return header;
849 | }
850 |
851 | /**
852 | * this function replaces character classes that are not supported by the exrex and problematic chars by equivalent signs
853 | */
854 | std::string sanitizePCRE(std::string pcre, std::string sid){
855 | std::size_t index;
856 | //replace \s with " ", so whitespace chars become just whitespace and not something like newlines
857 | while(true){
858 | index=pcre.find("\\s");
859 | if(index==std::string::npos){
860 | break;
861 | }else{
862 | pcre.replace(index,2," ");
863 | index+=3;
864 | if(verbose){
865 | printf("INFO: replaced \\s with single whitespace before generation. sid:%s\n",sid.c_str());
866 | }
867 | }
868 | }
869 |
870 | //replace +? with +
871 | while(true){
872 | index=pcre.find("+?");
873 | if(index==std::string::npos){
874 | break;
875 | }else{
876 | pcre.replace(index,2,"+");
877 | if(verbose){
878 | printf("INFO: replaced +? with + in pcre before generation. sid:%s\n",sid.c_str());
879 | }
880 | }
881 | }
882 |
883 | //replace *? with *
884 | while(true){
885 | index=pcre.find("*?");
886 | if(index==std::string::npos){
887 | break;
888 | }else{
889 | pcre.replace(index,2,"*");
890 | if(verbose){
891 | printf("INFO: replaced *? with * in pcre before generation. sid:%s\n",sid.c_str());
892 | }
893 | }
894 | }
895 |
896 | //replace .+ with [a-z] so that it produces easy to use char and not some weird sh**
897 | while(true){
898 | index=pcre.find(".+");
899 | if(index==std::string::npos){
900 | break;
901 | }else{
902 | pcre.replace(index,2,"[a-z]}");
903 | if(verbose){
904 | printf("INFO: replaced .+ with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
905 | }
906 | }
907 | }
908 |
909 | //replace .* with [a-z] so that it produces easy to use char and not some weird sh**
910 | while(true){
911 | index=pcre.find(".*");
912 | if(index==std::string::npos){
913 | break;
914 | }else{
915 | pcre.replace(index,2,"[a-z]");
916 | if(verbose){
917 | printf("INFO: replaced .* with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
918 | }
919 | }
920 | }
921 |
922 | //replace .? with [a-z] so that it produces easy to use char and not some weird sh**
923 | while(true){
924 | index=pcre.find(".?");
925 | if(index==std::string::npos){
926 | break;
927 | }else{
928 | pcre.replace(index,2,"[a-z]");
929 | if(verbose){
930 | printf("INFO: replaced .? with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
931 | }
932 | }
933 | }
934 |
935 | while(true){
936 | index=pcre.find("[^&]");
937 | if(index==std::string::npos){
938 | break;
939 | }else{
940 | pcre.replace(index,4,"[a-z]");
941 | if(verbose){
942 | printf("INFO: replaced [^&] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
943 | }
944 | }
945 | }
946 |
947 | while(true){
948 | index=pcre.find("[^\\]");
949 | if(index==std::string::npos){
950 | break;
951 | }else{
952 | pcre.replace(index,4,"[a-z]");
953 | if(verbose){
954 | printf("INFO: replaced [^\\] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
955 | }
956 | }
957 | }
958 |
959 | while(true){
960 | index=pcre.find("[^\\n]");
961 | if(index==std::string::npos){
962 | break;
963 | }else{
964 | pcre.replace(index,5,"[a-z]");
965 | if(verbose){
966 | printf("INFO: replaced [^\\n] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
967 | }
968 | }
969 | }
970 |
971 | while(true){
972 | index=pcre.find("[^\\r\\n]");
973 | if(index==std::string::npos){
974 | break;
975 | }else{
976 | pcre.replace(index,7,"[a-z]");
977 | if(verbose){
978 | printf("INFO: replaced [^\\r\\n] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
979 | }
980 | }
981 | }
982 | // while(true){
983 | // index=pcre.find("[^\\0A\\0D]");
984 | // if(index==std::string::npos){
985 | // break;
986 | // }else{
987 | // pcre.replace(index,9,"[a-z]");
988 | // if(verbose){
989 | // printf("INFO: replaced [^\\0A\\0D] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
990 | // }
991 | // }
992 | // }
993 | // while(true){
994 | // index=pcre.find("[^\\x26\\x3B]");
995 | // if(index==std::string::npos){
996 | // break;
997 | // }else{
998 | // pcre.replace(index,11,"[a-z]");
999 | // if(verbose){
1000 | // printf("INFO: replaced [^\\x26\\x3B] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
1001 | // }
1002 | // }
1003 | // }
1004 | while(true){
1005 | index=pcre.find("[^\\x2f]");
1006 | if(index==std::string::npos){
1007 | break;
1008 | }else{
1009 | pcre.replace(index,7,"[a-z]");
1010 | if(verbose){
1011 | printf("INFO: replaced [^\\x2f] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
1012 | }
1013 | }
1014 | }
1015 | // while(true){
1016 | // index=pcre.find("[^\\s\\x26\\x3B\\x2f]");
1017 | // if(index==std::string::npos){
1018 | // break;
1019 | // }else{
1020 | // pcre.replace(index,17,"[a-z]");
1021 | // if(verbose){
1022 | // printf("INFO: replaced [^\\s\\x26\\x3B\\x2f] with [a-z] in pcre before generation. sid:%s\n",sid.c_str());
1023 | // }
1024 | // }
1025 | // }
1026 |
1027 | return pcre;
1028 | }
1029 | /**
1030 | * generate string from given pcre (with external command)
1031 | */
1032 | std::string generateStringFromPCRE(std::string pcreString){
1033 | //pcre payload generation with the help of an external perl script. This script MUST be present in the same folder as this executable file.
1034 | //this opens a shell and executes above command (or script), if script is not found a line is written and program continues
1035 | //hardcoded command name. Of course, this command must exist!!!
1036 | FILE *commandFile;
1037 | const int BUFSIZE = 1000;
1038 | char buf[ BUFSIZE ];
1039 | std::string command="exrex -r ";
1040 | std::string popenCommand=command+pcreString;
1041 | if(verbose){
1042 | printf("INFO: Command for pcre string generation: %s\n",popenCommand.c_str());
1043 | }
1044 | commandFile = popen( popenCommand.c_str(), "r" );
1045 | if ( commandFile == NULL ) {
1046 | fprintf( stderr, "Could not execute command %s to generate regex payload.\n",popenCommand.c_str() );
1047 | exit(-1);
1048 | }
1049 | //write result to buf
1050 | while( fgets( buf, BUFSIZE, commandFile )) {
1051 | //fprintf( stdout, "%s", buf );
1052 | }
1053 | std::string pcrePayload=buf;
1054 | pclose( commandFile );
1055 | return pcrePayload;
1056 | }
1057 | /**
1058 | * sends an HTTP request to the given host containing the pattern(s) of the given rule
1059 | */
1060 | void sendRulePacket(snortRule* rule, std::string host,bool verbose){
1061 | //initialize all stuff needed for sending packets with curl
1062 | //NOTE:it would be much more performant to give this method a handle, but libcurl resends cookies from the last http request!!! This was the only option found. And in the end its not really slower...
1063 | curl_global_init(CURL_GLOBAL_ALL);
1064 | CURL *handle;
1065 | //using easy interface, no need for simultaneous transfers
1066 | handle = curl_easy_init();
1067 | CURLcode result;
1068 | std::string hostUri="";
1069 | std::string cookies="";
1070 | //we generally add 6 chars to the client body because
1071 | //Snort does not do any pattern matching if there are less than 6 chars
1072 | std::string clientBody="12345";
1073 | //list for custom headers, here we put the sid number to correlate the request with a rule and additional http_header fields
1074 | struct curl_slist *header=NULL;
1075 | long httpResponseCode=0;
1076 | std::string pcrePayload;
1077 |
1078 |
1079 | if(verbose){
1080 | fprintf(stdout,"\n--------------------------------------------------------\n");
1081 | fprintf(stdout,"INFO: Starting to generate packet # %d, for ruleSid %s\n", packetCounter, rule->body.sid.c_str());
1082 | fprintf(stdout,"--------------------------------------------------------\n");
1083 | }
1084 | //reset everything, necessary because curl remembers last cookie and sends it again
1085 | //curl_easy_reset(handle);
1086 | //with the following curl reports an error for every fail message of the server e.g. 404, 403 but not 100...
1087 | //curl_easy_setopt (handle, CURLOPT_FAILONERROR, 1L);
1088 | //tell curl to use custom function to handle return data instead of writing it to stdout
1089 | curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_data);
1090 | //use http protocol, is default anyway so just to make sure
1091 | curl_easy_setopt(handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP);
1092 | //set http GET as default method, will be changed in case, this is necessary when using CURLOPT_CUSTOMREQUEST
1093 | curl_easy_setopt(handle, CURLOPT_CUSTOMREQUEST, NULL);
1094 | curl_easy_setopt(handle, CURLOPT_HTTPGET, 1L);
1095 | //remove Accept: */* header which libcurl sets by default
1096 | header=curl_slist_append(header,"Accept:");
1097 | //remove Content-Type header which libcurl sets by default for POST request, and which makes good sense but is not mandatory. It can still be added by a rule later on.
1098 | header=curl_slist_append(header,"Content-Type:");
1099 | //libcurl also adds the Expect header, removing that header leads to not receiving a response for ages. And there is no rule saying content:!"Expect http_header
1100 |
1101 | for(int j=0;jbody.content.size();j++){
1102 | if(rule->body.negatedContent.at(j)){
1103 | //skip content because content is negated (and hope it is not generated by accident(or random) before)
1104 | }else{
1105 | switch(rule->body.contentModifierHTTP.at(j)){
1106 | case 1:{//http_method
1107 | if(rule->body.content[j]=="GET"){
1108 | curl_easy_setopt(handle, CURLOPT_HTTPGET, 1L);
1109 | }else if(rule->body.content[j]=="POST"){
1110 | curl_easy_setopt(handle, CURLOPT_POST, 1L);
1111 | //for everything else use the given method string
1112 | }else{
1113 | curl_easy_setopt(handle, CURLOPT_CUSTOMREQUEST, rule->body.content[j].c_str());
1114 | }
1115 | break;
1116 | }
1117 | case 2://http_uri
1118 | case 3://http_raw_uri
1119 | if(rule->body.content[j].find("//")!=std::string::npos){
1120 | fprintf(stderr,"WARNING: The HTTP uri used for this rule contains multiple slashes. Make sure that your IDS config does not normalize them. sid: %s\n",rule->body.sid.c_str());
1121 | }
1122 | {hostUri=hostUri+rule->body.content[j];
1123 | break;
1124 | }
1125 | case 6://header
1126 | case 7://raw_header
1127 | {header=curl_slist_append(header, sanitizeHeader(rule->body.content[j],rule->body.sid).c_str());
1128 | break;
1129 | }
1130 | case 4://http_stat_msg
1131 | case 5:
1132 | {fprintf(stderr,"Error: Can not control server responses, please remove this rule (sid: %s)\n",rule->body.sid.c_str());
1133 | if(continueOnError==0){
1134 | exit(0);
1135 | }
1136 | break;
1137 | }
1138 | case 8: //client_body. This possibly adds a body also to GET requests, which is not illegal but useless because server is not allowed to interpret it.
1139 | //remove \n and \r from string
1140 | {clientBody=clientBody+(removeCRLF(rule->body.content[j],rule->body.sid));
1141 | break;
1142 | }
1143 | case 9://cookie
1144 | case 10://raw_cookie
1145 | {//this way it only copies the value from the rule, meaning it might not always result in a name=value pair.
1146 | //this is still legal and accepted by servers.
1147 | cookies=cookies+rule->body.content[j];
1148 | break;
1149 | }
1150 | default:{
1151 | fprintf(stderr,"HTTP content modifier unsupported! Aborting\n");
1152 | exit(0);
1153 | }
1154 |
1155 | }
1156 | }
1157 | }
1158 | for(int k=0;kbody.pcre.size();k++){
1159 | if(rule->body.negatedPcre.at(k)==true){
1160 | //skip pcre because pcre is negated (and hope it is not generated by accident before)
1161 | }else{
1162 | //we dont have to care about nocasePcre because chars will be generated exactly how given in pcre...
1163 | std::string pcreString=rule->body.pcre.at(k);
1164 | //remove newline chars in pcre, fgets only reads one line and in most of our cases they are useless anyway
1165 | std::string::size_type at=0;
1166 | std::string crlf="\\r\\n";
1167 | while (true){
1168 | at=pcreString.find(crlf,at);
1169 | if(at!= std::string::npos){
1170 | //do not remove \r\n if it is negated
1171 | if(pcreString.at(at-1)!='^'){
1172 | pcreString.erase(at, crlf.length());
1173 | fprintf(stderr,"WARNING: Removed \\r\\n in pcre for rule sid:%s\n",rule->body.sid.c_str());
1174 | }else{
1175 | at=at+crlf.length();
1176 | }
1177 | }else{
1178 | break;
1179 | }
1180 |
1181 | }
1182 | //replace non-supported signs and replace stuff that makes problems with equivalent save stuff
1183 | pcreString=sanitizePCRE(pcreString, rule->body.sid);
1184 |
1185 | //search for unsupported character classes and warn
1186 | if(pcreString.find("\\C")!=std::string::npos||pcreString.find("\\D")!=std::string::npos||pcreString.find("\\h")!=std::string::npos
1187 | ||pcreString.find("\\H")!=std::string::npos||pcreString.find("\\N")!=std::string::npos||pcreString.find("\\p")!=std::string::npos
1188 | ||pcreString.find("\\R")!=std::string::npos||pcreString.find("\\S")!=std::string::npos||pcreString.find("\\v")!=std::string::npos
1189 | ||pcreString.find("\\V")!=std::string::npos||pcreString.find("\\w")!=std::string::npos||pcreString.find("\\W")!=std::string::npos
1190 | ||pcreString.find("\\X")!=std::string::npos
1191 | ){
1192 | fprintf(stderr,"WARNING: The pcre in this rule contains one of the not supported character classes: \\C, \\D, \\h, \\H, \\N, \\p, \\P, \\R, \\S, \\v, \\V, \\w, \\W, \\X. sid:%s\n",rule->body.sid.c_str());
1193 |
1194 | }
1195 |
1196 | //search for unsupported quantifiers and warn
1197 | if(pcreString.find("?+")!=std::string::npos||pcreString.find("??")!=std::string::npos||pcreString.find("*+")!=std::string::npos
1198 | ||pcreString.find("++")!=std::string::npos
1199 | ){
1200 | fprintf(stderr,"WARNING: The pcre in this rule contains one of the not supported quantifiers: ?+, ??, *+, ++. sid:%s\n",rule->body.sid.c_str());
1201 |
1202 | }
1203 |
1204 | //quote it, if not shell will expand this to nasty stuff
1205 | pcreString="\""+pcreString+"\"";
1206 | //is it ok if whitespaces occur in uri pcres? -->yes it seems so...
1207 | if((pcreString.find(' ')!=std::string::npos)&&(rule->body.contentModifierHTTP.at(rule->body.content.size()+k)!=2)){
1208 | fprintf(stderr,"WARNING: non-encoded whitespace in non-uri pcre in rule with sid:%s. Could lead to problems with pcre generation engine.\n",rule->body.sid.c_str());
1209 | }
1210 | //go!
1211 | pcrePayload=generateStringFromPCRE(pcreString);
1212 |
1213 | if(pcrePayload==""){
1214 | fprintf(stderr,"WARNING: pcre engine produced empty pcre for pcre:%s, rule sid:%s\n",pcreString.c_str(),rule->body.sid.c_str());
1215 | }
1216 | //strange newlines are introduced, remove them
1217 | pcrePayload.erase(std::remove(pcrePayload.begin(), pcrePayload.end(), '\n'), pcrePayload.end());
1218 | pcrePayload.erase(std::remove(pcrePayload.begin(), pcrePayload.end(), '\r'), pcrePayload.end());
1219 | //libcurl does not like # sign, remove it:
1220 | pcrePayload.erase(std::remove(pcrePayload.begin(), pcrePayload.end(), '#'), pcrePayload.end());
1221 |
1222 |
1223 | switch(rule->body.contentModifierHTTP.at(rule->body.content.size()+k)){
1224 | case 1:{//http_method
1225 | if(pcrePayload=="GET"){
1226 | curl_easy_setopt(handle, CURLOPT_HTTPGET, 1L);
1227 | }else if(pcrePayload=="POST"){
1228 | curl_easy_setopt(handle, CURLOPT_POST, 1L);
1229 | //for everything else use the given method string
1230 | }else{
1231 | curl_easy_setopt(handle, CURLOPT_CUSTOMREQUEST, pcrePayload.c_str());
1232 | }
1233 | break;
1234 | }
1235 | case 2://http_uri
1236 | case 3://http_raw_uri
1237 | {
1238 |
1239 | if(pcrePayload.find("//")!=std::string::npos){
1240 | fprintf(stderr,"WARNING: The pcre HTTP uri used for this rule contains multiple slashes. Make sure that your IDS config does not normalize them. sid: %s\n",rule->body.sid.c_str());
1241 | }
1242 | //check for whitespace, if at least one found, replace them all with +, which is http conform and while ' ' in uri is not...
1243 | for(uint32_t i=0;ibody.sid).c_str());
1256 | break;
1257 | }
1258 | case 4://http_stat_msg
1259 | case 5://http_stat_code
1260 | {fprintf(stderr,"Error: can not control server responses, please remove this rule (sid: %s)\n",rule->body.sid.c_str());
1261 | if(continueOnError==0){
1262 | exit(0);
1263 | }
1264 | exit(0);
1265 | break;
1266 | }
1267 | case 8://client_body. This possibly adds a body also to GET requests, which is not illegal but useless because server is not allowed to interpret it.
1268 | //it is not useless for our purposes!!
1269 | {clientBody=clientBody+pcrePayload;
1270 | break;
1271 | }
1272 | case 9://cookie
1273 | case 10://raw_cookie
1274 | {//this way it only copies the value from the rule, meaning it might not always result in a name=value pair.
1275 | //this is still legal and accepted by servers.
1276 | cookies=cookies+pcrePayload;
1277 | break;
1278 | }
1279 | default:{
1280 | fprintf(stderr,"PCRE content modifier unsupported! Aborting");
1281 | exit(0);
1282 | }
1283 | }//switch
1284 | //}
1285 | }
1286 | }
1287 | //check uri for unsafe and unwise characters rfc-1738, rfc-2396
1288 | // * Hmm, this should probably be done during parsing, and not before sending...
1289 | checkUri(hostUri,rule->body.sid.c_str());
1290 | if(hostUri!=""){
1291 | //put one slash at beginning if there is none
1292 | if(hostUri.at(0)!='/'){
1293 | hostUri.insert(0,"/");
1294 | }
1295 | }
1296 | //prepend host to uri as libcurl does not
1297 | hostUri.insert(0,host);
1298 | //set cookies
1299 | if(cookies!=""){
1300 | curl_easy_setopt(handle, CURLOPT_COOKIE, cookies.c_str());
1301 | }
1302 | std::string content="Rulesid: ";
1303 | content=content+rule->body.sid.c_str();
1304 | //add custom headers from above NOTE: do not append crlf at the end, is done automatically
1305 | header=curl_slist_append(header, content.c_str());
1306 | //set custom set of headers from list above
1307 | curl_easy_setopt(handle, CURLOPT_HTTPHEADER, header);
1308 | //tell curl which host and uri to use
1309 | curl_easy_setopt(handle, CURLOPT_URL, hostUri.c_str());
1310 | //add client body, if set
1311 | if(clientBody!="12345"){
1312 | curl_easy_setopt(handle, CURLOPT_POSTFIELDS, clientBody.c_str());
1313 | }
1314 | if(verbose){
1315 | curl_easy_setopt(handle, CURLOPT_VERBOSE, 1L);
1316 | }
1317 | //set request timeout in secs
1318 | curl_easy_setopt(handle, CURLOPT_TIMEOUT, 3);
1319 | //do it!
1320 | result=curl_easy_perform(handle);
1321 | if(result != CURLE_OK){
1322 | fprintf(stderr, "curl_easy_perform() failed for packet from rule sid %s, with url %s, with error: %s.\n",rule->body.sid.c_str(),hostUri.c_str(), curl_easy_strerror(result));
1323 | }
1324 | //curl_easy_getinfo (handle, CURLINFO_RESPONSE_CODE, &httpResponseCode);
1325 | long usedPort;
1326 | result = curl_easy_getinfo(handle, CURLINFO_LOCAL_PORT, &usedPort);
1327 | if(result==CURLE_OK) {
1328 | printf("Local port used for this request: %ld\n", usedPort);
1329 | }else{
1330 | printf("Failure in getting local port\n");
1331 | }
1332 | curl_easy_cleanup(handle);
1333 | packetCounter++;
1334 | }
1335 |
1336 | /**
1337 | * prints usage message
1338 | */
1339 | void usage(std::string progName){
1340 | std::cerr << "Usage: " << progName << " -f [option]\n"
1341 | << "where filename is a file containing snort rules\n"
1342 | << "Options:\n"
1343 | << "\t-f,--file\t\tPath to file with rules\n"
1344 | << "\t-h,--help\t\tShow this help message\n"
1345 | << "\t-r,--response\t\tPrint response from server (requires -s)\n"
1346 | << "\t-s,--server\t\tSpecify the hostname or ip where crafted packets should be sent to, if not set no packets will be sent\n"
1347 | << "\t-p,--print\t\tPrint rules parsed from file\n"
1348 | << "\t-v,--verbose\t\tBe verbose when sending packets\n"
1349 | << "\t-c,--continue\t\tContinue on errors (also fatal ones). Discouraged, this has undefined behavior!\n"
1350 | << std::endl;
1351 | }
1352 |
1353 | int main (int argc, char* argv[]) {
1354 | std::string line, readFile, host;
1355 | bool ruleFileSet=false;
1356 | bool printRules=false;
1357 | bool sendPackets=false;
1358 | bool pushRule=true;
1359 |
1360 | int linecounter=0,index=0,iarg=0;
1361 | snortRule tempRule;
1362 | std::size_t alertPosition;
1363 | std::size_t contentPosition;
1364 | std::size_t pcrePosition;
1365 |
1366 | std::vector parsedRules;
1367 |
1368 | //hardly any rule will use more than 15 content keywords
1369 | tempRule.body.content.reserve(VECTORRESERVE);
1370 | tempRule.body.contentOriginal.reserve(VECTORRESERVE);
1371 | tempRule.body.containsHex.reserve(VECTORRESERVE);
1372 | tempRule.body.negatedContent.reserve(VECTORRESERVE);
1373 | tempRule.body.contentModifierHTTP.reserve(VECTORRESERVE);
1374 | tempRule.body.pcre.reserve(VECTORRESERVE);
1375 | tempRule.body.negatedPcre.reserve(VECTORRESERVE);
1376 | tempRule.body.pcreNocase.reserve(VECTORRESERVE);
1377 | //disable buffering on stdout:
1378 | setbuf(stdout, NULL);
1379 |
1380 | // Check the number of parameters
1381 | if (argc <= 1) {
1382 | fprintf(stderr,"Too few arguments\n");
1383 | usage(argv[0]);
1384 | exit(0);
1385 | }
1386 |
1387 | //go through arguments
1388 | while(1){
1389 | const struct option longOptions[]={
1390 | {"print", no_argument, 0, 'p'},
1391 | {"help", no_argument, 0, 'h'},
1392 | {"response", no_argument, 0, 'r'},
1393 | {"verbose", no_argument, 0, 'v'},
1394 | {"continue", no_argument, 0, 'c'},
1395 | {"server", required_argument, 0, 's'},
1396 | {"file", required_argument, 0, 'f'},
1397 | {0, 0, 0, 0},
1398 | };
1399 | iarg = getopt_long_only(argc, argv, "s:f:prhvc", longOptions, &index);
1400 | if (iarg == -1){
1401 | break;}
1402 | switch (iarg){
1403 | case 'h':
1404 | usage(argv[0]);
1405 | exit(1);
1406 | case 'p':
1407 | printRules=true;
1408 | std::cout << "Configured to print parsed rules\n";
1409 | break;
1410 | case 'c':
1411 | continueOnError=true;
1412 | std::cout << "Configured to continue on error. Discouraged, this has undefined behavior!!\n";
1413 | break;
1414 | case 'v':
1415 | verbose=true;
1416 | std::cout << "Configured with verbose output\n";
1417 | break;
1418 | case 'r':
1419 | printResponse=true;
1420 | std::cout << "Configured to print response from server\n";
1421 | break;
1422 | case 'f':
1423 | readFile=optarg;
1424 | ruleFileSet=true;
1425 | std::cout << "Configured to read from file: "<< readFile <<"\n";
1426 | break;
1427 | case 's':
1428 | host=optarg;
1429 | sendPackets=true;
1430 | std::cout << "Configured to send packets to host: "<< host <<"\n";
1431 | break;
1432 | case '?':
1433 | // getopt_long_only returns '?' for an ambiguous match or an extraneous parameter
1434 | //ignore it
1435 | break;
1436 | default:
1437 | printf("unrecognized argument: %c \n",optarg);
1438 | usage(argv[0]);
1439 | exit(1);
1440 | }
1441 |
1442 | }
1443 |
1444 | if(ruleFileSet==false){
1445 | usage(argv[0]);
1446 | exit(0);
1447 | }
1448 |
1449 | std::ifstream ruleFile (readFile.c_str());
1450 | if (ruleFile.is_open()){
1451 | //one line is one snort rule
1452 | while ( getline (ruleFile,line) ){
1453 | pushRule=true;
1454 | linecounter++;
1455 | //check if rule is a comment, if yes-> ignore
1456 | if(line.substr(0,1)!="#"){
1457 | //check if rule is alert and if it contains content keyword, almost all rules do and if not it is not interesting for us
1458 | alertPosition=line.substr(0,6).find("alert");
1459 | contentPosition=line.find("content:");
1460 | pcrePosition=line.find("pcre:");
1461 | //sort out rules that we are not interested in
1462 | if(alertPosition==std::string::npos){
1463 | fprintf(stdout,"WARNING: Rule in line number %d, does not contain alert keyword. Ignored\n",linecounter);
1464 | //the following check inherently also checks for uricontent: keyword
1465 | }else if((contentPosition==std::string::npos)&&(pcrePosition==std::string::npos)){
1466 | fprintf(stdout,"WARNING: Rule in line number %d, does not contain content or pcre keyword. Ignored\n",linecounter);
1467 | }else if(line.find("flowbits:")!=std::string::npos||line.find("distance:")!=std::string::npos||line.find("within:")!=std::string::npos||line.find("offset:")!=std::string::npos||line.find("depth:")!=std::string::npos){
1468 | fprintf(stdout,"WARNING: Rule in line number %d, contains keyword for byte ranges (flowbits,distance,within,depth,offset) which is not supported. Ignored\n",linecounter);
1469 | }else if(line.find("dce_")!=std::string::npos||line.find("threshold:")!=std::string::npos||line.find("urilen:")!=std::string::npos||
1470 | line.find("detectionfilter")!=std::string::npos){
1471 | fprintf(stdout,"WARNING: Rule in line number %d, contains one of the following not supported keywords: dce_*, threshold:, urilen:, detectionfilter. Ignored\n",linecounter);
1472 | }else if(line.find("from_server")!=std::string::npos||line.find("to_client")!=std::string::npos){
1473 | fprintf(stdout,"WARNING: Rule looks for packet coming from server ('from_server' or 'to_client' keyword). Can not control server responses. Rule ignored in line: %d\n",linecounter);
1474 | }else if(line.find("content: ")!=std::string::npos){
1475 | fprintf(stdout,"WARNING: Content pattern does not start immediately after content keyword. I don't like that. Fix it. Rule ignored in line: %d\n",linecounter);
1476 |
1477 | }else{
1478 | //parse sid first, so we can print this info in error msgs
1479 | parseSid(&line, &linecounter,&tempRule);
1480 | parseHeader(&line,&linecounter,&tempRule);
1481 | parseMsg(&line,&linecounter,&tempRule);
1482 |
1483 | //it might contain no content (just pcre), than skip parseContent
1484 | if(contentPosition!=std::string::npos){
1485 | //if uricontent, skip next test because no http_ is intended
1486 | if(line.substr(contentPosition-3,3)!="uri"){
1487 | if(line.find("http_")==std::string::npos){
1488 | fprintf(stdout,"WARNING: Rule in line number %d contains content keyword but no http_ content modifier. Content part ignored\n", linecounter);
1489 | }
1490 | }
1491 | parseContent(&line, &linecounter,&tempRule);
1492 | parseContentModifier(&line, &linecounter,&tempRule);
1493 | }
1494 | if(pcrePosition!=std::string::npos){
1495 | parsePcre(&line, &linecounter,&tempRule);
1496 | }
1497 |
1498 | //do not allow rules which have no http_ content modifier
1499 | for (unsigned long i = 0; i < tempRule.body.content.size();i++) {
1500 | if (tempRule.body.contentModifierHTTP[i] == 0) {
1501 | pushRule = false;
1502 | fprintf(stdout,"WARNING: Rule with sid:%s in line number %d, contains at least one content without http_* content modifier. Ignored\n", tempRule.body.sid.c_str(), linecounter);
1503 | }
1504 | }
1505 |
1506 | if(continueOnError==false){
1507 | //before pushing rule, check if it makes sense. this will exit() if it fails.
1508 | plausabilityCheck(&tempRule,&linecounter);
1509 | }
1510 | if (pushRule) {
1511 | parsedRules.push_back(tempRule);
1512 | }
1513 | }
1514 | }
1515 | tempRule.body.containsHex.clear();
1516 | tempRule.body.content.clear();
1517 | tempRule.body.negatedContent.clear();
1518 | tempRule.body.contentOriginal.clear();
1519 | tempRule.body.contentModifierHTTP.clear();
1520 | tempRule.body.contentNocase.clear();
1521 | tempRule.body.pcre.clear();
1522 | tempRule.body.negatedPcre.clear();
1523 | tempRule.body.pcreNocase.clear();
1524 | tempRule.body.msg.clear();
1525 | tempRule.body.rev.clear();
1526 | tempRule.body.sid.clear();
1527 | }
1528 | ruleFile.close();
1529 | }else{
1530 | fprintf(stderr,"Unable to open rule file %s\n", readFile.c_str());
1531 | exit(0);
1532 | }
1533 | std::cout << parsedRules.size() << " rules successfully parsed\n";
1534 |
1535 | if(printRules){
1536 | for(unsigned long i=0;i