NAME
    Parse::Snort - Parse and create Snort rules

VERSION
    Version 0.01

SYNOPSIS
        use Parse::Snort;

        my $rule = Parse::Snort->new(
          action => 'alert',
          proto => 'tcp',
          src => '$HOME_NET', src_port => 'any',
          direction => '->'
          dst =>'$EXTERNAL_NET', dst_port => 'any'
        );

        $rule->action("pass");

        $rule->opts(
            [ 'depth' => 50 ],
            [ 'offset' => 0 ],
            [ 'content' => "perl6" ],
            [ "nocase" ]
        );

        my $rule = Parse::Snort->new();
        $rule->parse('pass tcp $HOME_NET any -> $EXTERNAL_NET 6667;');
        $rule->msg("IRC server");
        my $rule_string = $rule->as_string;
    );

METHODS
    The following methods can be used to read or modify parts of a rule.

    new($rule_string), new($rule_element_ref)
        This function will create a new "Parse::Snort" object. You may pass
        nothing, a string containing a properly formatted Snort rule, or a
        gash reference of rule elements and options.

        $rule_string
              $rule_string = 'alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)'

        $rule_element_hashref
              $rule_element_hashref = {
                action => 'alert',
                proto => 'tcp',
                src => '$EXTERNAL_NET', src_port => 'any',
                direction => '->',
                dst => '$HOME_NET', dst_port => 'any',
                opts => [
                    [ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
                    [ 'depth' => 150 ],
                    [ 'offset' => 0 ].
                    [ 'content' => 'perl-6.0.0' ],
                    [ 'nocase' ],
                ],
      
              };

    parse($rule_string)
        The parse method can be used to parse a snort rule string after
        new() has been called. The rule object will be populated with the
        parsed version of $rule_string, overwriting any previously defined
        values in the object.

          $rule_object->parse($rule_string);

  METHODS FOR RULE ELEMENTS
    The following methods read or modify the various rule elements.

    action
        The rule action. Generally one of the following: "alert", "pass",
        "drop", "sdrop", or "log".

    proto
        The protocol of the rule. Generally one of the following: "tcp",
        "udp", "ip", or "icmp".

    src The source IP address for the rule. Generally a dotted decimal IP
        address, Snort $HOME_NET variable, or CIDR block notation.

    src_port
        The source port for the rule. Generally a static port, or a
        contigious range of ports.

    direction
        The direction of the rule. One of the following: "-"> "<"> or "<-".

    dst The destination IP address for the rule. Same format as "src"

    dst_port
        The destination port for the rule. Same format as "src"

    opts($opts_array_ref), opts($opts_string)
        The opts method can be used to read existing options of a parsed
        rule, or set them. The method takes two forms of arguments, either
        an Array of Arrays, or a rule string.

        $opts_array_ref
              $opts_array_ref = [
                   [ 'msg' => ':"perl 6 download detected\; may the world rejoice!"' ],
                   [ 'depth' => 150 ],
                   [ 'offset' => 0 ].
                   [ 'content' => 'perl-6.0.0' ],
                   [ 'nocase' ],
              ]

        $opts_string
              $opts_string='(msg:"perl 6 download detected\; may the world rejoice!";depth:150; offset:0; content:"perl-6.0.0"; nocase;)';

            The parenthesis surround the series of "key:value;" pairs are
            optional.

  HELPER METHODS FOR OPTIONS
    sid, rev, msg, classtype
        The "sid", "rev", "msg", and "classtype" methods allow direct access
        to the rule option of the same name

          my $sid = $rule_obj->sid(); # reads the sid of the rule
          $rule_obj->sid($sid); # sets the sid of the rule
          ... etc ...

    references
        The "references" method returns an array reference of the references
        in the rule. Each reference is an array, in [ 'reference_type' =>
        'reference_value' ] format. To modify references, use the "opts"
        method.

    as_string
        The "as_string" method returns a string that matches the normal
        Snort rule form of the object. This is what you want to use to write
        a rule to an output file that will be read by Snort.

AUTHOR
        Richard G Harman Jr, "<perl-cpan at richardharman.com>"

BUGS
        Please report any bugs or feature requests to "bug-parse-snort at
        rt.cpan.org", or through the web interface at
        <http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Parse-Snort>. I will
        be notified, and then you'll automatically be notified of progress
        on your bug as I make changes.

SUPPORT
        You can find documentation for this module with the perldoc command.

            perldoc Parse::Snort

        You can also look for information at:

        * AnnoCPAN: Annotated CPAN documentation
            <http://annocpan.org/dist/Parse-Snort>

        * CPAN Ratings
            <http://cpanratings.perl.org/d/Parse-Snort>

        * RT: CPAN's request tracker
            <http://rt.cpan.org/NoAuth/Bugs.html?Dist=Parse-Snort>

        * Search CPAN
            <http://search.cpan.org/dist/Parse-Snort>

ACKNOWLEDGEMENTS
        MagNET #perl for putting up with me :)

COPYRIGHT & LICENSE
        Copyright 2007 Richard Harman, all rights reserved.

        This program is free software; you can redistribute it and/or modify
        it under the same terms as Perl itself.

