function createSnortRule($sid, $alertName, $inputText)
{
/*
* Given a sid, name and input text, return a Snort rule
* containing a PCRE generated from the input text.
*
* Note: $alertName should usually be set to the name of the input file
*/
$regex = createRegex($inputText);
$rule = "alert tcp \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"Possible detection of: {$alertName}\"; pcre:\"{$regex}\"; classtype:data-loss; sid:{$sid};)";
return $rule;
}
}
if (isset($_POST['substringLength']) && !empty($_POST['substringLength'])) {
$substringLength = $_POST['substringLength'];
}
if (isset($_POST['alertName']) && !empty($_POST['alertName'])) {
$alertName = $_POST['alertName'];
}
if (isset($_POST['snortFile']) && !empty($_POST['snortFile'])) {
$snortFile = $_POST['snortFile'];
if (!file_exists($snortFile)) {
//if the snort output file doesn't already exist, write out the header information
$header = "#\n#---------------------------\n# Data Loss Prevention rules\n#---------------------------\n";
writeToFile($snortFile, $header);
}
}
echo "<h2>Selected substring:</h2>";
$substring = selectSubstring($useRepository, $repositoryLocations, genHistogram($inputText), $inputText, $substringLength);
echo "\"{$substring}\"";
echo "<h2>Regex:</h2>";
echo createRegex($substring);
echo "<h2>Snort rule:</h2>";
$rule = createSnortRule(getNextsid($snortFile), $alertName, $substring);
echo "{$rule}<br><br>";
if ($snortFile != "") {
//if snortFile was passed, write the rule out to the snort file
writeToFile($snortFile, $rule);
echo "Snort rule written to {$snortFile}<br><br>";
}
?>
</body>
</html>
break;
case "random":
$substring = selectSubstringRandom($inputText, $substringLength);
break;
default:
$substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, 0);
}
echo "\"{$substring}\"";
?>
</div>
</div>
<div class="post">
<h2 class="title">Regular Expression</a></h2>
<div class="entry">
<?php
$regex = createRegex($substring);
echo $regex . "<br><br>";
?>
</div>
</div>
<div class="post">
<h2 class="title">Snort Rule</a></h2>
<div class="entry">
<?php
$rule = createSnortRule(getNextsid($snortFile), $fileName, $substring);
echo $rule . "<br><br>";
if ($snortFile != "") {
//if snortFile was passed, write the rule out to the snort file
writeToFile($snortFile, $rule);
echo "Snort rule written to {$snortFile}<br><br>";
/**
* Process an individual filepath.
*
* Type = 1 for individual processed files, 2 for files processed from a folder crawl.
*
* @param $type - allows this function to use individual files (1) or files processed from a folder crawl (2)
* @param $path - the local mounted directory ("/mnt/share")
* @param $netPath - the actual network directory
* @param $scoringMethod - scoring technique used (i.e. histogram, random, etc.)
* @param $substringLength - from the config table
* @param $snortFile - from the config table
*/
function processFile($type, $path, $netPath, $scoringMethod, $substringLength, $snortFile)
{
if (!fileAlreadyProcessed($path)) {
$file = fopen($path, 'r') or die("processFile(): can't open {$path}");
$substring = "";
$inputText = fread($file, filesize($path));
fclose($file);
switch ($scoringMethod) {
case "histogram":
$substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, 0);
break;
case "modifiedhist":
//$substring = selectSubstringModifiedHistogram(genHistogram($inputText), $inputText, $substringLength);
break;
case "multipleRandSamples":
break;
case "random":
//$substring = selectSubstringRandom($inputText, $substringLength);
break;
default:
$substring = selectSubstringHistogram(genHistogram($inputText), $inputText, $substringLength, 0);
}
if ($substring == "") {
return;
//if no unique substring is found, skip this file
}
$sid = getNextsid();
$rule = createSnortRule($sid, $path, $substring);
if ($snortFile != "") {
//if snortFile was passed, write the rule out to the snort file
writeToFile($snortFile, $rule);
}
//writes file to the database
include "dbconnect.php";
$parts = explode("/", $path);
//get our path element parts
$fileName = array_pop($parts);
$path = implode("/", $parts);
//rebuild our path
$netPath = mysql_real_escape_string($netPath);
//path name to be stored in the database
$path = mysql_real_escape_string($path);
$fileName = mysql_real_escape_string($fileName);
$rule = mysql_real_escape_string($rule);
$regex = mysql_real_escape_string(createRegex($substring));
$query = "INSERT INTO rules (file_name, path, rule, regex, count, sid, type) VALUES ('{$fileName}', '{$netPath}', '{$rule}', '{$regex}', 1, {$sid}, {$type})";
mysql_query($query);
include "dbclose.php";
}
return;
}
$noAlert = false;
$noText = false;
if (isset($_POST['alertName']) && !empty($_POST['alertName']) && isset($_POST['inputText']) && !empty($_POST['inputText'])) {
$alert = $_POST['alertName'];
$input = $_POST['inputText'];
$config = getConfig();
$snortFile = $config['snortFile'];
$substringLength = $config['substringLength'];
/*
* gets scoring method
*/
if (isset($_POST['scoringMethod']) && !empty($_POST['scoringMethod'])) {
$scoringMethod = $_POST['scoringMethod'];
}
$sid = getNextSid($snortFile);
$regex = createRegex($input);
if ($regex !== "/()/is") {
$rule = createSnortRule($sid, $alert, $input);
writeToFile($snortFile, $rule);
include "includes/dbconnect.php";
$sid = mysql_real_escape_string($sid);
$regex = mysql_real_escape_string($regex);
$rule = mysql_real_escape_string($rule);
$query = "INSERT INTO rules (rule, regex, count, sid, type) VALUES ('{$rule}', '{$regex}', 1, {$sid}, 3)";
mysql_query($query);
include "includes/dbclose.php";
}
} else {
if ((!isset($_POST['alertName']) || empty($_POST['alertName'])) && (isset($_POST['inputText']) && !empty($_POST['inputText']))) {
$noAlert = true;
$input = $_POST['inputText'];
