public function export($items, $startSid, $format = "suricata", $continue = false) { // set the specific format $this->format = 'snort'; // call the generic function return parent::export($items, $startSid, $format, $continue); }
public function userAgentRule($ruleFormat, $attribute, &$sid) { $overruled = $this->checkWhitelist($attribute['value']); $attribute['value'] = NidsExport::replaceIllegalChars($attribute['value']); // substitute chars not allowed in rule // warning: only suricata compatible $content = 'flow:to_server,established; content:"' . $attribute['value'] . '"; fast_pattern; http_user_agent;'; $this->rules[] = sprintf($ruleFormat, $overruled ? '#OVERRULED BY WHITELIST# ' : '', 'http', '$HOME_NET', 'any', '->', '$EXTERNAL_NET', 'any', 'Outgoing User-Agent: ' . $attribute['value'], $content, 'tag:session,600,seconds;', $sid, 1); }