MISP/app/Lib/Tools/SuricataRuleFormat.php

<?php

# based on @jasonish idstools regexp
# https://github.com/jasonish/py-idstools/blob/master/idstools/rule.py

class SuricataRuleFormat
{
    private $actions = array("alert", "log", "pass", "activate", "dynamic", "drop", "reject", "sdrop");
    private $rule_pattern = '/(?P<action>%s)\s*'
                            . '(?P<protocol>[^\s]*)\s*'
                            . '(?P<src_ip>[^\s]*)\s*'
                            . '(?P<src_port>[^\s]*)\s*'
                            . '(?P<direction>->|<>)\s*'
                            . '(?P<dst_ip>[^\s]*)\s*'
                            . '(?P<dst_port>[^\s]*)\s*'
                            . '\((?P<options>.*)\)\s*'
                            . '/';
    private $http_req_modifiers = array('http_uri', 'http_raw_uri', 'http_method', 'http_client_body', 'http_header', 'http_raw_header', 'http_cookie', 'http_user_agent', 'http_host', 'http_raw_host');
    private $http_req_sticky = array('http_request_line', 'http_accept', 'http_accept_lang', 'http_accept_enc', 'http_referer', 'http_connection', 'http_content_type', 'http_content_len', 'http_start', 'http_protocol', 'http_header_names');
    private $http_res_modifiers = array('http_stat_msg', 'http_stat_code', 'http_header', 'http_raw_header', 'http_cookie', 'http_server_body');
    private $http_res_sticky = array('http_response_line', 'file_data', 'http_content_type', 'http_content_len', 'http_start', 'http_protocol', 'http_header_names');

    private function findOptionEnd($options)
    {
        $offset = 0;
        while (true) {
            $i = strpos($options, ';', $offset);
            if ($i === false) {
                return -1;
            }
            if ($options[$offset + $i - 1] == '\\') {
                $offset += 2;
            } else {
                return $offset + $i;
            }
        }
    }

    private function getOptions($options)
    {
        $opt_list = array();

        if ($options == false) {
            return false;
        }
        while (true) {
            if ($options == false) {
                return $opt_list;
            }
            $index = $this->findOptionEnd($options);
            if ($index < 0) {
                throw new LogicException(
                    'SuricataRule - could not find end of options'
                );
            }
            $option = substr($options, 0, $index);
            $options = substr($options, $index + 1);
            $delim = strpos($option, ':');
            if ($delim === false) {
                $name = $option;
                $value = None;
            } else {
                $vals = explode(':', $option);
                $name = $vals[0];
                $value = $vals[1];
            }
            $name = str_replace(' ', '', $name);
            $opt_list[$name] = $value;
        }
        return $opt_list;
    }

    private function parseRule($rule)
    {
        $regexp = sprintf($this->rule_pattern, join('|', $this->actions));
        preg_match($regexp, $rule, $matches);
        return $matches;
    }

    # function to validate the global syntax of a suricata rule
    private function validateRuleSyntax($rule)
    {
        $matches = $this->parseRule($rule);
        if (($matches === false) or ($matches['src_ip'] === false) or ($matches['dst_ip'] === false)) {
            return false;
        }
        return true;
    }

    #function to validate http rule keywords order (sticky vs modifiers)
    private function validateRuleHTTP($rule)
    {
        $matches = $this->parseRule($rule);
        if ($matches['protocol'] != 'http') {
            return true;
        }
        $options = $this->getOptions($matches['options']);
        $keys = array_keys($options);
        foreach ($keys as $k) {
            if (in_array($k, $this->http_req_modifiers) or in_array($k, $this->http_res_modifiers)) {
                $mod = array_search($k, $keys);
                if (($mod != 0) and ($keys[$mod - 1] != 'content')) {
                    return false;
                }
            } elseif (in_array($k, $this->http_req_sticky) or in_array($k, $this->http_res_sticky)) {
                $mod = array_search($k, $keys);
                if (($mod != (count($keys) - 1)) and ($keys[$mod + 1] != 'content')) {
                    return false;
                }
            }
        }
        return true;
    }

    # function to validate dns rule keywords order
    private function validateRuleDNS($rule)
    {
        $matches = $this->parseRule($rule);
        if ($matches['protocol'] != 'dns') {
            return true;
        }
        $options = $this->getOptions($matches['options']);
        $keys = array_keys($options);
        $dns_query = array_search('dns_query', $keys);
        if ($dns_query == false) {
            return true;
        }
        if (($dns_query != (count($keys) - 1)) and ($keys[$dns_query + 1] != 'content')) {
            return false;
        }
        return true;
    }

    # function to validate the complete syntax of a suricata rule
    # idea is to
    public function validateRule($rule)
    {
        return $this->validateRuleSyntax($rule) and $this->validateRuleHTTP($rule) and $this->validateRuleDNS($rule);
    }
}
initial regexp to match rule pattern 2018-01-12 17:37:36 +01:00			`<?php`

added validation function for global syntax 2018-01-12 18:22:58 +01:00			`# based on @jasonish idstools regexp`
			`# https://github.com/jasonish/py-idstools/blob/master/idstools/rule.py`

chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`class SuricataRuleFormat`
			`{`
initial regexp to match rule pattern 2018-01-12 17:37:36 +01:00			`private $actions = array("alert", "log", "pass", "activate", "dynamic", "drop", "reject", "sdrop");`
			`private $rule_pattern = '/(?P<action>%s)\s*'`
			`. '(?P<protocol>[^\s])\s'`
			`. '(?P<src_ip>[^\s])\s'`
			`. '(?P<src_port>[^\s])\s'`
			`. '(?P<direction>->\|<>)\s*'`
			`. '(?P<dst_ip>[^\s])\s'`
			`. '(?P<dst_port>[^\s])\s'`
			`. '\((?P<options>.)\)\s'`
			`. '/';`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`private $http_req_modifiers = array('http_uri', 'http_raw_uri', 'http_method', 'http_client_body', 'http_header', 'http_raw_header', 'http_cookie', 'http_user_agent', 'http_host', 'http_raw_host');`
			`private $http_req_sticky = array('http_request_line', 'http_accept', 'http_accept_lang', 'http_accept_enc', 'http_referer', 'http_connection', 'http_content_type', 'http_content_len', 'http_start', 'http_protocol', 'http_header_names');`
			`private $http_res_modifiers = array('http_stat_msg', 'http_stat_code', 'http_header', 'http_raw_header', 'http_cookie', 'http_server_body');`
			`private $http_res_sticky = array('http_response_line', 'file_data', 'http_content_type', 'http_content_len', 'http_start', 'http_protocol', 'http_header_names');`
initial regexp to match rule pattern 2018-01-12 17:37:36 +01:00
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function findOptionEnd($options)`
			`{`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`$offset = 0;`
			`while (true) {`
added options extraction function 2018-01-19 18:31:30 +01:00			`$i = strpos($options, ';', $offset);`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`if ($i === false) {`
			`return -1;`
			`}`
added options extraction function 2018-01-19 18:31:30 +01:00			`if ($options[$offset + $i - 1] == '\\') {`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`$offset += 2;`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`} else {`
added options extraction function 2018-01-19 18:31:30 +01:00			`return $offset + $i;`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`}`
			`}`
			`}`

chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function getOptions($options)`
			`{`
added options extraction function 2018-01-19 18:31:30 +01:00			`$opt_list = array();`

			`if ($options == false) {`
			`return false;`
			`}`
			`while (true) {`
			`if ($options == false) {`
			`return $opt_list;`
			`}`
			`$index = $this->findOptionEnd($options);`
			`if ($index < 0) {`
			`throw new LogicException(`
			`'SuricataRule - could not find end of options'`
			`);`
			`}`
			`$option = substr($options, 0, $index);`
			`$options = substr($options, $index + 1);`
			`$delim = strpos($option, ':');`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`if ($delim === false) {`
added options extraction function 2018-01-19 18:31:30 +01:00			`$name = $option;`
			`$value = None;`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`} else {`
added options extraction function 2018-01-19 18:31:30 +01:00			`$vals = explode(':', $option);`
			`$name = $vals[0];`
			`$value = $vals[1];`
			`}`
			`$name = str_replace(' ', '', $name);`
			`$opt_list[$name] = $value;`
			`}`
			`return $opt_list;`
			`}`

chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function parseRule($rule)`
			`{`
initial regexp to match rule pattern 2018-01-12 17:37:36 +01:00			`$regexp = sprintf($this->rule_pattern, join('\|', $this->actions));`
			`preg_match($regexp, $rule, $matches);`
			`return $matches;`
			`}`
added validation function for global syntax 2018-01-12 18:22:58 +01:00
			`# function to validate the global syntax of a suricata rule`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function validateRuleSyntax($rule)`
			`{`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`$matches = $this->parseRule($rule);`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`if (($matches === false) or ($matches['src_ip'] === false) or ($matches['dst_ip'] === false)) {`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`return false;`
			`}`
			`return true;`
			`}`

wrote dns validation func, checking modifier after dns_query keyword 2018-01-19 18:45:18 +01:00			`#function to validate http rule keywords order (sticky vs modifiers)`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function validateRuleHTTP($rule)`
			`{`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`$matches = $this->parseRule($rule);`
			`if ($matches['protocol'] != 'http') {`
			`return true;`
			`}`
			`$options = $this->getOptions($matches['options']);`
			`$keys = array_keys($options);`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`foreach ($keys as $k) {`
			`if (in_array($k, $this->http_req_modifiers) or in_array($k, $this->http_res_modifiers)) {`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`$mod = array_search($k, $keys);`
			`if (($mod != 0) and ($keys[$mod - 1] != 'content')) {`
			`return false;`
			`}`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`} elseif (in_array($k, $this->http_req_sticky) or in_array($k, $this->http_res_sticky)) {`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`$mod = array_search($k, $keys);`
			`if (($mod != (count($keys) - 1)) and ($keys[$mod + 1] != 'content')) {`
			`return false;`
			`}`
			`}`
			`}`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`return true;`
			`}`

wrote dns validation func, checking modifier after dns_query keyword 2018-01-19 18:45:18 +01:00			`# function to validate dns rule keywords order`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`private function validateRuleDNS($rule)`
			`{`
wrote dns validation func, checking modifier after dns_query keyword 2018-01-19 18:45:18 +01:00			`$matches = $this->parseRule($rule);`
			`if ($matches['protocol'] != 'dns') {`
			`return true;`
			`}`
			`$options = $this->getOptions($matches['options']);`
			`$keys = array_keys($options);`
			`$dns_query = array_search('dns_query', $keys);`
			`if ($dns_query == false) {`
			`return true;`
			`}`
finished http validation function using sticky and modifiers 2018-03-02 19:08:59 +01:00			`if (($dns_query != (count($keys) - 1)) and ($keys[$dns_query + 1] != 'content')) {`
wrote dns validation func, checking modifier after dns_query keyword 2018-01-19 18:45:18 +01:00			`return false;`
			`}`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`return true;`
			`}`

			`# function to validate the complete syntax of a suricata rule`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`# idea is to`
			`public function validateRule($rule)`
			`{`
added options extraction function 2018-01-19 18:31:30 +01:00			`return $this->validateRuleSyntax($rule) and $this->validateRuleHTTP($rule) and $this->validateRuleDNS($rule);`
added validation function for global syntax 2018-01-12 18:22:58 +01:00			`}`
chg: [CS] Changed to PSR-2 - to make contributions easier, adopted PSR-2 - used php-cs-fixer to rework the style - sniff sniff Goodbye tab indentation 2018-07-19 11:48:22 +02:00			`}`