Example Programs

u2spewfoo.py

Description:

A python reimplementation of Snort’s u2spewfoo.

usage: u2spewfoo.py <file>...
Source:
idstools/scripts/u2spewfoo.py

gensidmsgmap.py

Description:

Signature->Message Map Generator

Use idstools to generate a Snort style sid-msg.map file from a rule tarball, list of rule files or directories containing Snort-style rules.

usage: gensidmsgmap.py [options] <file>...

options:

    -2, --v2      Output a new (v2) style sid-msg.map file.

The files passed on the command line can be a list of a filenames, a
tarball, a directory name (containing rule files) or any combination
of the above.
Source:
idstools/scripts/gensidmsgmap.py

u2fast.py

Description:

Read unified2 log files and output events in “fast” style.

usage: u2fast [-h] [-C <classification.config>] [-S <msg-msg.map>]
              [-G <gen-msg.map>] [--snort-conf <snort.conf>]
              [--directory <spool directory>] [--prefix <spool file prefix>]
              [--bookmark] [--follow]
              [filenames [filenames ...]]

positional arguments:
  filenames

optional arguments:
  -h, --help            show this help message and exit
  -C <classification.config>
                        path to classification config
  -S <msg-msg.map>      path to sid-msg.map
  -G <gen-msg.map>      path to gen-msg.map
  --snort-conf <snort.conf>
                        attempt to load classifications and map files based on
                        the location of the snort.conf
  --directory <spool directory>
                        spool directory (eg: /var/log/snort)
  --prefix <spool file prefix>
                        spool filename prefix (eg: unified2.log)
  --bookmark            enable bookmarking
  --follow              follow files/continuous mode (spool mode only)

u2fast.py also serves as an example of how to read events with the unified2 and retrieve event descriptions using the facilities provided by the maps module.

Source:
idstools/scripts/u2fast.py

u2json.py

Description:

Read unified2 log files and output events as JSON.

usage: u2json [-h] [-C <classification.config>] [-S <msg-msg.map>]
              [-G <gen-msg.map>] [--snort-conf <snort.conf>]
              [--directory <spool directory>] [--prefix <spool file prefix>]
              [--bookmark] [--follow] [--delete] [--output <filename>]
              [--stdout]
              [filenames [filenames ...]]

positional arguments:
  filenames

optional arguments:
  -h, --help            show this help message and exit
  -C <classification.config>
                        path to classification config
  -S <msg-msg.map>      path to sid-msg.map
  -G <gen-msg.map>      path to gen-msg.map
  --snort-conf <snort.conf>
                        attempt to load classifications and map files based on
                        the location of the snort.conf
  --directory <spool directory>
                        spool directory (eg: /var/log/snort)
  --prefix <spool file prefix>
                        spool filename prefix (eg: unified2.log)
  --bookmark            enable bookmarking
  --follow              follow files/continuous mode (spool mode only)
  --delete              delete spool files
  --output <filename>   output filename (eg: /var/log/snort/alerts.json
  --stdout              also log to stdout if --output is a file

If --directory and --prefix are provided files will be read from
the specified 'spool' directory. Otherwise files on the command
line will be processed.

An alternative to using command line arguments is to put the arguments in a file and call u2json like:

u2json @filename

where filename looks something like:

-C=/etc/snort/etc/classification.config
-S=/etc/snort/etc/sid-msg.map
-G=/etc/snort/etc/gen-msg.map
--directory=/var/log/snort
--prefix=unified2.log
--output=/var/log/snort/alerts.json
--follow
--bookmark
--delete
Source:
idstools/scripts/u2json.py