/*          Snort ruleset randomiser
 *
 * This utility reads snort's rule file and changes its content field value
 * with random content of the same length. Binary characters are replaced with 
 * random binary, ascii characters are replaced with random ascii characters. 
 *
 * Compile the utility by typing:
 * 		gcc -02 -o rule_randomizer rule-randomizer.c 
 * No special libraries are needed just standard C library 
 *
 * Usage : rule_randomizer input_file output_file
 *
 * For any bugs you can e-mail at antonat@ics.forth.gr
 *
 */


#include <stdio.h>
#include <string.h>
#define INSIDE_HEX 1
#define OUTSIDE_HEX 2
#define INSIDE_CONTENT 1
#define OUTSIDE_CONTENT 2

int main(int argc,char *argv[]) {

	char line[1000];
	char newrule[1000];
	FILE *fp,*fpout;
	int mode=OUTSIDE_HEX;
	int pos,i=0,chartype,j=0,tmp;
	char *content_pos;

	if(argc!=3) {
		fprintf(stderr,"Usage: <%s> <input file> <output file>\n",argv[0]);
		return -1;
	}
	
	if((fp=fopen(argv[1],"r"))==NULL) {
		fprintf(stderr,"Error opening input file\n");
		return -1;
	}

	if((fpout=fopen(argv[2],"w"))==NULL) {
		fprintf(stderr,"Error creating output file \n");
		return -1;
	}


while(fgets(line,1000,fp)!=NULL) {
		i=0;
		j=0;
		content_pos=strstr(line,"content:");
			
		if((content_pos==NULL)||(line[0]=='#')) {   //no content rules or comments
			fprintf(fpout,"%s",line); //write it as it is
			continue;  //next line
		}
	
	while(content_pos) {
		for(;i<(content_pos-line)+8;i++) //copy intermediate or beginning parts 
			newrule[j++]=line[i];
			
		while(line[i]!='"') { //write spaces between "content:" and '"'
			newrule[j++]=line[i];
			i++;
		}
		
		newrule[j++]=line[i++]; //write '"'
		//now we are inside content
		pos=INSIDE_CONTENT; //flags to check if we are inside content
		chartype=OUTSIDE_HEX;
		
		//j=i; //j is pointer to new rule , i to original rule
		
		while(pos==INSIDE_CONTENT) {
			int exc=0,hexcount;
			if(line[i]=='"'){ //check if we reached end of content part
				tmp=i-1;      //check for previous '\' if zero or even number then we are out
				while(line[tmp]=='\\') {
					tmp--;
					exc++;
				}
					
				if(exc%2==0) {
					newrule[j]='"';
					pos=OUTSIDE_CONTENT;
					break; //loops end here
				}
			}
			
			exc=0;
			if(line[i]=='|') {
				tmp=i-1;
				while(line[tmp]=='\\') {
					tmp--;
					exc++;
				}
					
				if(exc%2==0) {
					if(chartype==OUTSIDE_HEX) {
						newrule[j]='|';
						chartype=INSIDE_HEX;
						i++;
						j++;
					}
					else {
						newrule[j++]='|';
						chartype=OUTSIDE_HEX;						
						i++;
					}
				}

			}
			
			if(chartype==INSIDE_HEX) { 
				char *temphex;
				char temph[3];
				
				hexcount=0;
				while(line[i]!='|') {
					if(line[i]!=' ') {
						hexcount++;
					}
					i++;
				}
				
				temphex=(char *)malloc((2*hexcount)*sizeof(char));
				temphex[0]='\0';
				for(tmp=0;tmp<hexcount/2;tmp++) {
					sprintf(temph,"%2x",random()%256);
					if(temph[0]==' ')
						temph[0]='0';
					sprintf(temphex,"%s%2x",temphex,temph);
				}
				
				for(tmp=0;tmp<hexcount;tmp++)
					newrule[j++]=temphex[tmp];
					
				//newrule takes hexcount/2 random hex
				newrule[j++]='|';
				chartype=OUTSIDE_HEX;
				
				free(temphex);
			}
			else {
				if(line[i]=='\\') {
					int mytemp=random_printable();
					if((mytemp==';')||(mytemp==':')||(mytemp=='?')||(mytemp=='*')) {
						newrule[j++]='\\';
					}

					newrule[j++]=mytemp;
					i++;
				}
				else {
					int mytemp=random_printable();
					if((mytemp==';')||(mytemp==':')) {
						newrule[j++]='\\';
					}
					newrule[j++]=mytemp;
				}

			}
			
	 		i++;	
		}

		content_pos=strstr(line+i,"content:");

	}
		
		
while(line[i]!='\0') { //copy the trailing part of the rule
	newrule[j++]=line[i];
	i++;
}

newrule[j]='\0';	
fprintf(fpout,"%s",newrule);
		
		
}

close(fp);
close(fpout);

}


int random_printable() {
	int temp=(33+random()%92);	
	if((temp=='\\')||(temp=='|')||(temp=='"')) 
		return temp+1;
	else
		return temp;
}