} if (isset($_POST['substringLength']) && !empty($_POST['substringLength'])) { $substringLength = $_POST['substringLength']; } if (isset($_POST['alertName']) && !empty($_POST['alertName'])) { $alertName = $_POST['alertName']; } if (isset($_POST['snortFile']) && !empty($_POST['snortFile'])) { $snortFile = $_POST['snortFile']; if (!file_exists($snortFile)) { //if the snort output file doesn't already exist, write out the header information $header = "#\n#---------------------------\n# Data Loss Prevention rules\n#---------------------------\n"; writeToFile($snortFile, $header); } } echo "<h2>Selected substring:</h2>"; $substring = selectSubstring($useRepository, $repositoryLocations, genHistogram($inputText), $inputText, $substringLength); echo "\"{$substring}\""; echo "<h2>Regex:</h2>"; echo createRegex($substring); echo "<h2>Snort rule:</h2>"; $rule = createSnortRule(getNextsid($snortFile), $alertName, $substring); echo "{$rule}<br><br>"; if ($snortFile != "") { //if snortFile was passed, write the rule out to the snort file writeToFile($snortFile, $rule); echo "Snort rule written to {$snortFile}<br><br>"; } ?> </body> </html>
switch ($scoringMethod) { case "histogram": $substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, $count + 1); break; case "modifiedhist": //$substring = selectSubstringModifiedHistogram(genHistogram($inputText), $inputText, $substringLength); break; case "multipleRandSamples": break; case "random": //$substring = selectSubstringRandom($inputText, $substringLength); break; default: $substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, $count + 1); } $rule = createSnortRule($sid, $row['path'] . "/" . $row['file_name'], $substring); $regex = createRegex($substring); if ($snortFile != "") { writeToFile($snortFile, $rule); //echo "Snort rule written to $snortFile<br><br>"; } //update the rule, regex and count for the rule include "dbconnect.php"; $rule = mysql_real_escape_string($rule); $regex = mysql_real_escape_string($regex); $query = "UPDATE rules SET rule='{$rule}', regex='{$regex}', count=" . ($count + 1) . " WHERE rule_id={$id}"; mysql_query($query); include "dbclose.php"; //rewrites the rules file with all the rules currently in the db rewriteRulesFile(); if (isset($_SERVER['HTTP_REFERER'])) {
/** * Process an individual filepath. * * Type = 1 for individual processed files, 2 for files processed from a folder crawl. * * @param $type - allows this function to use individual files (1) or files processed from a folder crawl (2) * @param $path - the local mounted directory ("/mnt/share") * @param $netPath - the actual network directory * @param $scoringMethod - scoring technique used (i.e. histogram, random, etc.) * @param $substringLength - from the config table * @param $snortFile - from the config table */ function processFile($type, $path, $netPath, $scoringMethod, $substringLength, $snortFile) { if (!fileAlreadyProcessed($path)) { $file = fopen($path, 'r') or die("processFile(): can't open {$path}"); $substring = ""; $inputText = fread($file, filesize($path)); fclose($file); switch ($scoringMethod) { case "histogram": $substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, 0); break; case "modifiedhist": //$substring = selectSubstringModifiedHistogram(genHistogram($inputText), $inputText, $substringLength); break; case "multipleRandSamples": break; case "random": //$substring = selectSubstringRandom($inputText, $substringLength); break; default: $substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, 0); } if ($substring == "") { return; //if no unique substring is found, skip this file } $sid = getNextsid(); $rule = createSnortRule($sid, $path, $substring); if ($snortFile != "") { //if snortFile was passed, write the rule out to the snort file writeToFile($snortFile, $rule); } //writes file to the database include "dbconnect.php"; $parts = explode("/", $path); //get our path element parts $fileName = array_pop($parts); $path = implode("/", $parts); //rebuild our path $netPath = mysql_real_escape_string($netPath); //path name to be stored in the database $path = mysql_real_escape_string($path); $fileName = mysql_real_escape_string($fileName); $rule = mysql_real_escape_string($rule); $regex = mysql_real_escape_string(createRegex($substring)); $query = "INSERT INTO rules (file_name, path, rule, regex, count, sid, type) VALUES ('{$fileName}', '{$netPath}', '{$rule}', '{$regex}', 1, {$sid}, {$type})"; mysql_query($query); include "dbclose.php"; } return; }
if (isset($_POST['alertName']) && !empty($_POST['alertName']) && isset($_POST['inputText']) && !empty($_POST['inputText'])) { $alert = $_POST['alertName']; $input = $_POST['inputText']; $config = getConfig(); $snortFile = $config['snortFile']; $substringLength = $config['substringLength']; /* * gets scoring method */ if (isset($_POST['scoringMethod']) && !empty($_POST['scoringMethod'])) { $scoringMethod = $_POST['scoringMethod']; } $sid = getNextSid($snortFile); $regex = createRegex($input); if ($regex !== "/()/is") { $rule = createSnortRule($sid, $alert, $input); writeToFile($snortFile, $rule); include "includes/dbconnect.php"; $sid = mysql_real_escape_string($sid); $regex = mysql_real_escape_string($regex); $rule = mysql_real_escape_string($rule); $query = "INSERT INTO rules (rule, regex, count, sid, type) VALUES ('{$rule}', '{$regex}', 1, {$sid}, 3)"; mysql_query($query); include "includes/dbclose.php"; } } else { if ((!isset($_POST['alertName']) || empty($_POST['alertName'])) && (isset($_POST['inputText']) && !empty($_POST['inputText']))) { $noAlert = true; $input = $_POST['inputText']; } else { if (isset($_POST['alertName']) && !empty($_POST['alertName']) && (!isset($_POST['inputText']) || empty($_POST['inputText']))) {