public SnortRule Clone()
{
SnortRule cloned = new SnortRule();
cloned.id = id;
cloned.protocol = protocol;
cloned.sourceip = sourceip;
cloned.sourceport = sourceport;
cloned.destip = destip;
cloned.destport = destport;
cloned.msg = msg;
cloned.contentstring = contentstring;
return(cloned);
}
public void DoPreSaveOptions()
{
Rules = new List <SnortRule>();
optform = new Form();
optform.Width = 500;
optform.Height = 500;
Panel optpanel = new Panel();
optform.Controls.Add(optpanel);
optpanel.Width = 470;
optpanel.Height = 420;
optpanel.AutoScroll = true;
//Add the explanation label
AthenaPluginFormHelpers.AddLabel("Please select the options below to customise your Snort Rules output:", optpanel, 5, 5);
int maxtitlelength = 60;
int x = 10;
int y = 30;
int yinc = 20;
int cnt = 0;
Dictionary <string, int> ID_Form_Mapping = new Dictionary <string, int> ();
foreach (ObservableObject o in col.Observables)
{
cnt++;
ID_Form_Mapping[o.ID] = cnt;
string title = o.DisplayTitle.Length < maxtitlelength ? o.DisplayTitle : o.DisplayTitle.Substring(0, maxtitlelength);
if (o.Type == ObservableObject.ObservableType.Domain)
{
AthenaPluginFormHelpers.AddCheckbox("Any mention in TCP/UDP packets of " + title, optpanel, x, y, true, "obs_" + cnt);
y += yinc;
}
if (o.Type == ObservableObject.ObservableType.IPAddress)
{
AthenaPluginFormHelpers.AddCheckbox("Any traffic, in any protocol, to or from " + title, optpanel, x, y, true, "obs_" + cnt);
y += yinc;
}
//if(o.Type == ObservableObject.ObservableType.Registry)
// AthenaPluginFormHelpers.AddCheckbox("Any mention in TCP/UDP packets of the key/value under " + title, optpanel, x, y, true, "obs_" + cnt);
//if (o.Type == ObservableObject.ObservableType.Sample)
// AthenaPluginFormHelpers.AddCheckbox("Any mention in TCP/UDP packets of filename for " + title, optpanel, x, y, true, "obs_" + cnt);
}
Button closebut = new Button();
closebut.Text = "Save";
closebut.Click += Closebut_Click;
closebut.Location = new System.Drawing.Point(15, 430);
optform.Controls.Add(closebut);
optform.ShowDialog();
SnortRule r;
foreach (ObservableObject o in col.Observables)
{
if ((o.Type == ObservableObject.ObservableType.Domain || o.Type == ObservableObject.ObservableType.IPAddress) && ((CheckBox)optpanel.Controls["obs_" + ID_Form_Mapping[o.ID]]).Checked)
{
if (o.Type == ObservableObject.ObservableType.Domain)
{
r = new SnortRule();
r.id = o.ID;
r.protocol = "TCP";
r.sourceip = "any";
r.sourceport = "any";
r.destip = "any";
r.destport = "any";
r.contentstring = o.Fields.First(fld => fld.FieldName == "Domain").Value;
r.msg = "ATHENA KNOWN IOC: Mention of Domain which is present in an IOC Collection";
Rules.Add(r);
//Add a rule for UDP, too
r = r.Clone();
r.protocol = "UDP";
Rules.Add(r);
}
if (o.Type == ObservableObject.ObservableType.IPAddress)
{
//Temp list to hold the placeholder rules
List <SnortRule> temprules = new List <SnortRule>();
//First let add a "TO" rule for [blank] protocol
r = new SnortRule();
r.id = o.ID;
r.protocol = "";
r.sourceip = "any";
r.sourceport = "any";
r.destip = "any";
r.destport = "any";
r.contentstring = "";
r.msg = "ATHENA KNOWN IOC: [PROTO] Traffic to an IP Address which is present in an IOC Collection";
//Set the IP Address and Deal with cases where the IPV4 and IPV6 addresses are populated for the same IOC (add two rules, one for each)
if (o.Fields.First(fld => fld.FieldName == "IPv4").Value.Length > 0 && o.Fields.First(fld => fld.FieldName == "IPv6").Value.Length > 0)
{
r.sourceip = o.Fields.First(fld => fld.FieldName == "IPv4").Value;
temprules.Add(r);
r = r.Clone();
r.sourceip = o.Fields.First(fld => fld.FieldName == "IPv6").Value;
temprules.Add(r);
}
else
{
//r = r.Clone();
r.sourceip = o.Fields.First(fld => fld.FieldName == "IPv4").Value.Length > 0 ? o.Fields.First(fld => fld.FieldName == "IPv4").Value : o.Fields.First(fld => fld.FieldName == "IPv6").Value;
temprules.Add(r);
}
//Now we have our "TO" rule(s), lets duplicate it/them to also be "from" rules
SnortRule newrule;
int trc = temprules.Count;
for (int c = 0; c < trc; c++)
{
newrule = temprules[c].Clone();
newrule.destip = temprules[c].sourceip;
newrule.sourceip = "any";
newrule.msg = "ATHENA KNOWN IOC: [PROTO] Traffic from an IP Address which is present in an IOC Collection";
temprules.Add(newrule);
}
//Now lets duplicate all of these for all the protocols
trc = temprules.Count;
for (int c = 0; c < trc; c++)
{
foreach (string s in SupportedProtocols)
{
newrule = temprules[c].Clone();
newrule.protocol = s;
newrule.msg = newrule.msg.Replace("[PROTO]", s);
temprules.Add(newrule);
}
}
//Now lets remove the template rules and add the rest to the main list
foreach (SnortRule rls in temprules)
{
if (rls.protocol != "")
{
Rules.Add(rls);
}
}
}
//if (o.Type == ObservableObject.ObservableType.Registry)
//{
// SnortRule r = new SnortRule();
// r.id = o.ID;
//}
//if (o.Type == ObservableObject.ObservableType.Sample)
//{
// SnortRule r = new SnortRule();
// r.id = o.ID;
//}
}
}
}
