idstools.rule module

Module for parsing Snort-like rules.

Parsing is done using regular expressions and the job of this module is to do its best at parsing out fields of interest from the rule rather than perform a sanity check.

The methods that parse multiple rules for a provided input (parse_file, parse_fileobj) return a list of rules instead of dict keyed by ID as its not the job of this module to detect or deal with duplicate signature IDs.

class idstools.rule.FlowbitResolver

Bases: object

get_required_flowbits(rules)

get_required_rules(rulemap, flowbits, include_enabled=False)

Returns a list of rules that need to be enabled in order to satisfy the list of required flowbits.

getters = ['isset', 'isnotset']

parse_flowbit(flowbit)

resolve(rules)

set_required_flowbits(rules, required)

setters = ['set', 'setx', 'unset', 'toggle']

class idstools.rule.Rule(enabled=None, action=None, group=None)

Bases: dict

Class representing a rule.

The Rule class is a class that also acts like a dictionary.

Dictionary fields:

• group: The group the rule belongs to, typically the filename.
• enabled: True if rule is enabled (uncommented), False is disabled (commented)
• action: The action of the rule (alert, pass, etc) as a string
• proto: The protocol string of the rule.
• source_addr: The source address string of the rule.
• source_port: The source ports string of the rule.
• direction: The direction string of the rule.
• dest_addr: The destination address string of the rule.
• dest_port: The destination ports string of the rule.
• gid: The gid of the rule as an integer
• sid: The sid of the rule as an integer
• rev: The revision of the rule as an integer
• msg: The rule message as a string
• flowbits: List of flowbit options in the rule
• metadata: Metadata values as a list
• references: References as a list
• classtype: The classification type
• priority: The rule priority, 0 if not provided
• raw: The raw rule as read from the file or buffer

Parameters:

• enabled – Optional parameter to set the enabled state of the rule
• action – Optional parameter to set the action of the rule
• group – Optional parameter to set the group (filename) of the rule

brief()

A brief description of the rule.

Returns:A brief description of the rule Return type:string

format()

id

The ID of the rule.

Returns:A tuple (gid, sid) representing the ID of the rule Return type:A tuple of 2 ints

idstr

Return the gid and sid of the rule as a string formatted like: ‘[GID:SID]’

rebuild_options()

Rebuild the rule options from the list of options.

idstools.rule.add_option(rule, name, value, index=None)

idstools.rule.enable_flowbit_dependencies(rulemap)

Helper function to resolve flowbits, wrapping the FlowbitResolver class.

idstools.rule.find_opt_end(options)

Find the end of an option (;) handling escapes.

idstools.rule.format_sidmsgmap(rule)

Format a rule as a sid-msg.map entry.

idstools.rule.format_sidmsgmap_v2(rule)

Format a rule as a v2 sid-msg.map entry.

eg: gid || sid || rev || classification || priority || msg || ref0 || refN

idstools.rule.parse(buf, group=None)

Parse a single rule for a string buffer.

Parameters:buf – A string buffer containing a single Snort-like rule Returns:An instance of of Rule representing the parsed rule

idstools.rule.parse_file(filename, group=None)

Parse multiple rules from the provided filename.

Parameters:filename – Name of file to parse rules from Returns:A list of Rule instances, one for each rule parsed

idstools.rule.parse_fileobj(fileobj, group=None)

Parse multiple rules from a file like object.

Note: At this time rules must exist on one line.

Parameters:fileobj – A file like object to parse rules from. Returns:A list of Rule instances, one for each rule parsed

idstools.rule.remove_option(rule, name)