scripts Package

gensidmsgmap Module

Signature->Message Map Generator

Use idstools to generate a Snort style sid-msg.map file from a rule tarball, list of rule files or directories containing Snort-style rules.

usage: gensidmsgmap.py [options] <file>...

options:

    -2, --v2      Output a new (v2) style sid-msg.map file.

The files passed on the command line can be a list of a filenames, a
tarball, a directory name (containing rule files) or any combination
of the above.
idstools.scripts.gensidmsgmap.file_iterator(files)[source]
idstools.scripts.gensidmsgmap.main()[source]
idstools.scripts.gensidmsgmap.render_v1(rule)[source]

Render an original style sid-msg.map entry.

idstools.scripts.gensidmsgmap.render_v2(rule)[source]

Render a v2 style sid-msg.map entry.

gid || sid || rev || classification || priority || msg || ref0 || refN

idstools.scripts.gensidmsgmap.usage(file=<open file '<stderr>', mode 'w' at 0x7f93044f91e0>)[source]

u2bench Module

idstools.scripts.u2bench.main()[source]
idstools.scripts.u2bench.usage(fileobj=<open file '<stderr>', mode 'w' at 0x7f93044f91e0>)[source]

u2fast Module

Read unified2 log files and output events in “fast” style.

usage: u2fast [-h] [-C <classification.config>] [-S <msg-msg.map>]
              [-G <gen-msg.map>] [--snort-conf <snort.conf>]
              [--directory <spool directory>] [--prefix <spool file prefix>]
              [--bookmark] [--follow]
              [filenames [filenames ...]]

positional arguments:
  filenames

optional arguments:
  -h, --help            show this help message and exit
  -C <classification.config>
                        path to classification config
  -S <msg-msg.map>      path to sid-msg.map
  -G <gen-msg.map>      path to gen-msg.map
  --snort-conf <snort.conf>
                        attempt to load classifications and map files based on
                        the location of the snort.conf
  --directory <spool directory>
                        spool directory (eg: /var/log/snort)
  --prefix <spool file prefix>
                        spool filename prefix (eg: unified2.log)
  --bookmark            enable bookmarking
  --follow              follow files/continuous mode (spool mode only)
idstools.scripts.u2fast.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2fast.main()[source]
idstools.scripts.u2fast.print_event(event, msgmap, classmap)[source]
idstools.scripts.u2fast.print_time(sec, usec)[source]

u2json Module

Read unified2 log files and output events as JSON.

usage: u2json [-h] [-C <classification.config>] [-S <msg-msg.map>]
              [-G <gen-msg.map>] [--snort-conf <snort.conf>]
              [--directory <spool directory>] [--prefix <spool file prefix>]
              [--bookmark] [--follow] [--delete] [--output <filename>]
              [--stdout]
              [filenames [filenames ...]]

positional arguments:
  filenames

optional arguments:
  -h, --help            show this help message and exit
  -C <classification.config>
                        path to classification config
  -S <msg-msg.map>      path to sid-msg.map
  -G <gen-msg.map>      path to gen-msg.map
  --snort-conf <snort.conf>
                        attempt to load classifications and map files based on
                        the location of the snort.conf
  --directory <spool directory>
                        spool directory (eg: /var/log/snort)
  --prefix <spool file prefix>
                        spool filename prefix (eg: unified2.log)
  --bookmark            enable bookmarking
  --follow              follow files/continuous mode (spool mode only)
  --delete              delete spool files
  --output <filename>   output filename (eg: /var/log/snort/alerts.json
  --stdout              also log to stdout if --output is a file

If --directory and --prefix are provided files will be read from
the specified 'spool' directory. Otherwise files on the command
line will be processed.

An alternative to using command line arguments is to put the arguments in a file and call u2json like:

u2json @filename

where filename looks something like:

-C=/etc/snort/etc/classification.config
-S=/etc/snort/etc/sid-msg.map
-G=/etc/snort/etc/gen-msg.map
--directory=/var/log/snort
--prefix=unified2.log
--output=/var/log/snort/alerts.json
--follow
--bookmark
--delete
class idstools.scripts.u2json.OutputWrapper(filename, fileobj=None)[source]

Bases: object

reopen()[source]
write(buf)[source]
class idstools.scripts.u2json.SuricataJsonFilter(msgmap=None, classmap=None)[source]

Bases: object

filter(event)[source]
getprotobynumber(protocol)[source]
resolve_classification(event, default=None)[source]
resolve_msg(event, default=None)[source]
idstools.scripts.u2json.get_tzoffset(sec)[source]
idstools.scripts.u2json.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2json.main()[source]
idstools.scripts.u2json.render_timestamp(sec, usec)[source]

u2spewfoo Module

A python reimplementation of Snort’s u2spewfoo.

usage: u2spewfoo.py <file>...
idstools.scripts.u2spewfoo.main()[source]
idstools.scripts.u2spewfoo.print_char(char)[source]
idstools.scripts.u2spewfoo.print_event(event)[source]
idstools.scripts.u2spewfoo.print_extra(extra)[source]
idstools.scripts.u2spewfoo.print_packet(packet)[source]
idstools.scripts.u2spewfoo.print_raw(raw)[source]
idstools.scripts.u2spewfoo.print_record(record)[source]
idstools.scripts.u2spewfoo.printable_chars(buf)[source]