idstools.scripts package

Submodules

idstools.scripts.dumpdynamicrules module

Dump Snort SO rule stub helper program. Can optionally repack a Snort rule tarball with the generated stubs, in place or to a new file.

idstools.scripts.dumpdynamicrules.find_snort()[source]

Find the path to Snort from the PATH.

idstools.scripts.dumpdynamicrules.main()[source]
idstools.scripts.dumpdynamicrules.mktempdir(delete_on_exit=True)[source]

Create a temporary directory that is removed on exit.

idstools.scripts.dumpdynamicrules.repack(prefix, stubs, filename)[source]

idstools.scripts.gensidmsgmap module

Generate sid-msg.map files (v1 and v2) from rule archives, files and/or directories.

idstools.scripts.gensidmsgmap.file_iterator(files)[source]
idstools.scripts.gensidmsgmap.main()[source]
idstools.scripts.gensidmsgmap.usage(file=<open file '<stderr>', mode 'w'>)[source]

idstools.scripts.rulecat module

class idstools.scripts.rulecat.Fetch(args)[source]

Bases: object

basename()[source]
check_checksum(tmp_filename, url)[source]
files_as_dict()[source]
get_rule_url()[source]
progress_hook(content_length, bytes_read)[source]
run()[source]
class idstools.scripts.rulecat.GroupMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by its group (ie: filename).

match(rule)[source]
classmethod parse(match)[source]
class idstools.scripts.rulecat.HashTracker[source]

Used to check if files are modified.

Usage: Add files with add(filename) prior to modification. Test with any_modified() which will return True if any of the checksums have been modified.

add(filename)[source]
any_modified()[source]
get_md5(filename)[source]
get_md5_for_directory(directory)[source]
class idstools.scripts.rulecat.IdRuleMatcher(generatorId, signatureId)[source]

Bases: object

Matcher object to match an idstools rule object by its signature ID.

match(rule)[source]
classmethod parse(match)[source]
class idstools.scripts.rulecat.ModifyRuleFilter(matcher, pattern, repl)[source]

Bases: object

Filter to modify an idstools rule object.

Important note: This filter does not modify the rule inplace, but instead returns a new rule object with the modification.

filter(rule)[source]
match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ReRuleMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by regular expression.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ThresholdProcessor[source]
extract_pattern(buf)[source]
extract_regex(buf)[source]
patterns = [<_sre.SRE_Pattern object at 0x7f3b1a9d8030>, <_sre.SRE_Pattern object at 0x7f3b1aa00978>, <_sre.SRE_Pattern object at 0x7f3b1a4024b8>]
process(filein, fileout, rulemap)[source]
replace(threshold, rule)[source]
idstools.scripts.rulecat.build_report(prev_rulemap, rulemap)[source]

Build a report of changes between 2 rulemaps.

Returns a dict with the following keys that each contain a list of rules. - added - removed - modified

idstools.scripts.rulecat.build_rule_map(rules)[source]

Turn a list of rules into a mapping of rules.

In case of gid:sid conflict, the rule with the higher revision number will be used.

idstools.scripts.rulecat.dump_sample_configs()[source]
idstools.scripts.rulecat.load_filters(filename)[source]
idstools.scripts.rulecat.load_local_files(local, files)[source]

Load local files into the files dict.

idstools.scripts.rulecat.load_matchers(filename)[source]
idstools.scripts.rulecat.main()[source]
idstools.scripts.rulecat.parse_rule_match(match)[source]
idstools.scripts.rulecat.resolve_flowbits(rulemap, disabled_rules)[source]
idstools.scripts.rulecat.write_merged(filename, rulemap)[source]
idstools.scripts.rulecat.write_sid_msg_map(filename, rulemap, version=1)[source]
idstools.scripts.rulecat.write_to_directory(directory, files, rulemap)[source]
idstools.scripts.rulecat.write_yaml_fragment(filename, files)[source]

idstools.scripts.u2eve module

Read unified2 log files and output events as Suricata EVE JSON.

class idstools.scripts.u2eve.EveFilter(msgmap=None, classmap=None)[source]

Bases: object

filter(event)[source]
getprotobynumber(protocol)[source]
resolve_classification(event, default=None)[source]
resolve_msg(event, default=None)[source]
class idstools.scripts.u2eve.OutputWrapper(filename, fileobj=None)[source]

Bases: object

reopen()[source]
write(buf)[source]
idstools.scripts.u2eve.calculate_flow_id(event)[source]
idstools.scripts.u2eve.get_tzoffset(sec)[source]
idstools.scripts.u2eve.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2eve.main()[source]
idstools.scripts.u2eve.render_timestamp(sec, usec)[source]

idstools.scripts.u2fast module

Read unified2 log files and output events in “fast” style.

idstools.scripts.u2fast.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2fast.main()[source]
idstools.scripts.u2fast.print_event(event, msgmap, classmap)[source]
idstools.scripts.u2fast.print_time(sec, usec)[source]

idstools.scripts.u2json module

Read unified2 log files and output records as JSON.

class idstools.scripts.u2json.Formatter(msgmap=None, classmap=None)[source]

Bases: object

format(record)[source]
format_event(record)[source]
format_extra_data(record)[source]
format_packet(record)[source]
resolve_classification(event, default=None)[source]
resolve_msg(event, default=None)[source]
class idstools.scripts.u2json.OutputWrapper(filename, fileobj=None)[source]

Bases: object

reopen()[source]
write(buf)[source]
idstools.scripts.u2json.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2json.main()[source]
idstools.scripts.u2json.rollover_hook(closed, opened)[source]

The rollover hook for the spool reader. Will delete the closed file.

idstools.scripts.u2spewfoo module

A python reimplementation of Snort’s u2spewfoo.

idstools.scripts.u2spewfoo.main()[source]
idstools.scripts.u2spewfoo.print_char(char)[source]
idstools.scripts.u2spewfoo.print_event(event)[source]
idstools.scripts.u2spewfoo.print_extra(extra)[source]
idstools.scripts.u2spewfoo.print_packet(packet)[source]
idstools.scripts.u2spewfoo.print_raw(raw)[source]
idstools.scripts.u2spewfoo.print_record(record)[source]
idstools.scripts.u2spewfoo.printable_chars(buf)[source]

Module contents