Adding updates to Snort keywords

emptypockets304 · Jun 4, 2015 · 90ae38c · 90ae38c
1 parent 21dc38d
commit 90ae38c
Showing 1 changed file with 90 additions and 80 deletions.
diff --git a/dumbpig.pl b/dumbpig.pl
@@ -213,84 +213,94 @@ sub usage{
 		############################################################
 		# If any of these are 0 post processing, the keyword is not in use.
 		my @censorKeywords=("pcre","content","uricontent","msg");
-		my @argless=("http_method",
-				"ftpbounce",
-				"file_data",
-				"nocase",
-				"rawbytes",
-				"dce_stub_data",
-				"fast_pattern",
-				"http_client_body",
-				"http_header",
-				"http_raw_cookie",
-				"http_raw_header",
-				"http_method",
-				"http_uri",
-				"http_stat_code",
-				"http_stat_msg",
-				"http_cookie");	# Some keywords don't take args, these are argless.
-
-
-		my %hkeywords =("msg" => 0,
-				"content" => 0,
-				"gid" => 0,
-				"sid" => 0,
-				"ttl" => 0,
-				"uricontent" => 0,
-				"pcre" => 0,
-				"flow" => 0,
-				"nocase" => 0,
-				"rev" => 0,
-				"reference" => 0,
-				"classtype" => 0,
-				"flowbits" => 0,
-				"threshold" => 0,
-				"offset" => 0,
-				"distance" => 0,
-				"within" => 0,
-				"offset" => 0,
-				"depth" => 0,
-				"dsize" => 0,
-				"byte_test" => 0,
-				"byte_jump" => 0,
-				"rawbytes" => 0,
-				"isdataat" => 0,
-				"ipopts" => 0,
-				"tag" => 0,
-				"itype" => 0,
-				"icode" => 0,
-				"flags" => 0,
-				"urilen" => 0,
-				"fragbits" => 0,
-				"fragoffset" => 0,
-				"seq" => 0,
-				"ack" => 0,
-				"window" => 0,
-				"id" => 0,
-				"ip_proto" => 0,
-				"metadata" => 0,
-				"priority" => 0,
-				"fwsam" => 0,
-				"asn1" => 0,
-				"http_client_body" => 0,
-				"http_cookie" => 0,
-				"dce_stub_data" => 0,
-				"dce_iface" => 0,
-				"dce_opnum" => 0,
-				"http_header" => 0,
-				"icmp_id" => 0,
-				"icmp_seq" => 0,
-				"fast_pattern" => 0,
-				"http_method" => 0,
-				"ftpbounce" => 0,
-				"http_encode" => 0,
-				"http_stat_code" => 0,
-				"http_stat_msg" => 0,
-                                "http_uri" => 0,
-                                "ssl_version" => 0,
-                                "ssl_state" => 0,
-				"detection_filter" => 0,
-				"file_data" => 0
+		my @argless=("base64_data",
+			    "dce_stub_data",
+                "fast_pattern",
+                "file_data",
+                "ftpbounce",
+                "http_client_body",
+                "http_cookie",
+                "http_header",
+                "http_method",
+                "http_method",
+                "http_raw_cookie",
+                "http_raw_header",
+                "http_raw_uri",
+                "http_stat_code",
+                "http_stat_msg",
+                "http_uri",
+                "nocase",
+                "pkt_data",
+                "rawbytes"); # Some keywords don't take args, these are argless.
+
+
+		my %hkeywords =("ack" => 0,
+                "asn1" => 0,
+                "base64_data" => 0,
+                "base64_decode" => 0,
+                "byte_extract" => 0,
+                "byte_jump" => 0,
+                "byte_test" => 0,
+                "classtype" => 0,
+                "content" => 0,
+                "dce_iface" => 0,
+                "dce_opnum" => 0,
+                "dce_stub_data" => 0,
+                "depth" => 0,
+                "detection_filter" => 0,
+                "distance" => 0,
+                "dsize" => 0,
+                "fast_pattern" => 0,
+                "file_data" => 0,
+                "flags" => 0,
+                "flow" => 0,
+                "flowbits" => 0,
+                "fragbits" => 0,
+                "fragoffset" => 0,
+                "ftpbounce" => 0,
+                "fwsam" => 0,
+                "gid" => 0,
+                "http_client_body" => 0,
+                "http_cookie" => 0,
+                "http_encode" => 0,
+                "http_header" => 0,
+                "http_method" => 0,
+                "http_raw_header" => 0,
+                "http_raw_uri" => 0,
+                "http_stat_code" => 0,
+                "http_stat_msg" => 0,
+                "http_uri" => 0,
+                "icmp_id" => 0,
+                "icmp_seq" => 0,
+                "icode" => 0,
+                "id" => 0,
+                "ip_proto" => 0,
+                "ipopts" => 0,
+                "isdataat" => 0,
+                "itype" => 0,
+                "metadata" => 0,
+                "msg" => 0,
+                "nocase" => 0,
+                "offset" => 0,
+                "offset" => 0,
+                "pcre" => 0,
+                "pkt_data" => 0,
+                "priority" => 0,
+                "rawbytes" => 0,
+                "reference" => 0,
+                "rev" => 0,
+                "seq" => 0,
+                "sid" => 0,
+                "ssl_state" => 0,
+                "ssl_version" => 0,
+                "stream_size" => 0,
+                "tag" => 0,
+                "threshold" => 0,
+                "ttl" => 0,
+                "uricontent" => 0,
+                "urilen" => 0,
+                "window" => 0,
+                "within" => 0
 				);
 
 		if ($verbose) {
@@ -485,7 +495,7 @@ sub usage{
 			# unknown keyword
 			if ( $unknown ) {
 				$fail++;
-				push (@reason, "- Unknown keyword \"$unknown\" found! Either \n A) you messed up\n B) This tool doesnt support that keyword - contact leon.ward\@sourcefire.com \n C) You are using reserved chars in your rule, HEX should be used for stuff like \" ?() etc \n Note that the decoded rule will NOT show this keyword, check the original rule line\n");
+				push (@reason, "- Unknown keyword \"$unknown\" found! Either \n A) you messed up\n B) This tool needs to add support for that keyword \n C) You are using reserved chars in your rule, HEX should be used for stuff like \" ?() etc \n Note that the decoded rule will NOT show this keyword, check the original rule line\n");
 			}
 		}
 
@@ -506,7 +516,7 @@ sub usage{
 			}
 
 			# IP rule without content, pcre or uricontent?
-			if ( "$proto" eq "ip" and not ($hkeywords{'content'} or $hkeywords{'uricontent'} or $hkeywords{'pcre'} or $hkeywords{'ip_proto'})) {
+			if ( "$proto" eq "ip" and not ($hkeywords{'content'} or $hkeywords{'uricontent'} or $hkeywords{'pcre'} or $hkeywords{'ip_proto'} or ($hkeywords{'metadata'} =~ /engine shared, soid [0-9]+|[0-9]+/))) {
 				$blacklistable=1;
 				$fail++;
 				push (@reason, "- IP rule without a content match. Put this in a firewall!\n");