Graphical Snort rule builder. This tool should help writing Snort rules by preventing invalid values for most fields as well as invalid combinations of fields.
Old Major can be used as a web or desktop app. First, run
npm install && ng build
in the Old Major directory.
For desktop use, run npm run desktop
. To use as a web app,
copy the /dist folder to your web root.
The Old Major interface consists of two sections: the rule output at the top of the page and the rule form below it. The output box displays the text of the rule. It is automatically generated on the fly from the values in the form. If there are any errors, the box will turn red and a (!) icon will appear. The fields containing the errors will be indicated either by a (!) icon or by help text explaining what the correct format for the input should be.
There are four main sections within the rule form:
The general tab contains the rule header and general options. Old Major requires that the SID of the rule be greater than 1000000 in accordance with the established convention for custom rules.
The non-payload tab contains fields related to flow, frag, protocol, and flags.
The payload tab contains the cursor modifier, content pattern, PCRE, flowbit, byte jump, byte test, and byte extract fields. Sections are added by clicking on the sidebar. The sections can be rearranged by clicking and dragging using the drag handles on the left of the list items and removed using the X on the right.
The post-detection tab contains the tag, threshold, detection filter, and other post-detection fields.
There are still many features that can be implemented, including:
- support for base64_decode and base_64 data
- support for ASN1
- support for Suricata-specific options, with a toggle for Snort/Suricata
- more validation, such as ensuring that PCRE is not the first payload section in a rule
- importing existing rules
- user-specified values for the Source/Destination IP/Port fields (i.e. variables)
See CONTRIBUTING.md for instructions on how to contribute to this project.
Run ng test
to run the Karma tests over the project.
Run ng build
to compile the Typescript files into the /dist directory.
Run ng serve
for a dev server with live reload. The app will run on port 4200
by default.