idstools.scripts package

Submodules

idstools.scripts.dumpdynamicrules module

Dump Snort SO rule stub helper program. Can optionally repack a Snort rule tarball with the generated stubs, in place or to a new file.

idstools.scripts.dumpdynamicrules.find_snort()[source]

Find the path to Snort from the PATH.

idstools.scripts.dumpdynamicrules.main()[source]
idstools.scripts.dumpdynamicrules.mktempdir(delete_on_exit=True)[source]

Create a temporary directory that is removed on exit.

idstools.scripts.dumpdynamicrules.repack(prefix, stubs, filename)[source]

idstools.scripts.eve2pcap module

Convert packets in EVE logs to pcap.

eve2pcap will convert the packets or the payloads found in an eve log file to a pcap file.

Note that payload conversion requires Scapy, and will not recreate the original packets as the headers need to be built on the fly from the available information in the eve log.

class idstools.scripts.eve2pcap.Pcap(pcap_t)[source]
dump_fopen(fileno)[source]

Not quite a direct wrapper around pcap_dump_fopen - instead of a file pointer, take a file descriptor.

dump_open(filename)[source]
classmethod open_dead(linktype, snaplen)[source]
class idstools.scripts.eve2pcap.PcapDumper(pcap_dumper_t)[source]

Minimal wrapper around pcap_dumper_t.

close()[source]
dump(pkthdr, packet)[source]
idstools.scripts.eve2pcap.eve2pcap(event)[source]
idstools.scripts.eve2pcap.main()[source]
idstools.scripts.eve2pcap.parse_timestamp(timestamp)[source]
idstools.scripts.eve2pcap.payload2packet(event)[source]
class idstools.scripts.eve2pcap.pcap_pkthdr[source]

Bases: _ctypes.Structure

Internal class representing struct pcap_pkthdr.

caplen

Structure/Union member

pktlen

Structure/Union member

ts_sec

Structure/Union member

ts_usec

Structure/Union member

idstools.scripts.gensidmsgmap module

Generate sid-msg.map files (v1 and v2) from rule archives, files and/or directories.

idstools.scripts.gensidmsgmap.file_iterator(files)[source]
idstools.scripts.gensidmsgmap.main()[source]
idstools.scripts.gensidmsgmap.usage(file=<open file '<stderr>', mode 'w'>)[source]

idstools.scripts.rulecat module

class idstools.scripts.rulecat.DropRuleFilter(matcher)[source]

Bases: object

Filter to modify an idstools rule object to a drop rule.

filter(rule)[source]
match(rule)[source]
class idstools.scripts.rulecat.Fetch(args)[source]

Bases: object

check_checksum(tmp_filename, url)[source]
extract_files(filename)[source]
fetch(url)[source]
progress_hook(content_length, bytes_read)[source]
run()[source]
class idstools.scripts.rulecat.GroupMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by its group (ie: filename).

match(rule)[source]
classmethod parse(match)[source]
class idstools.scripts.rulecat.HashTracker[source]

Used to check if files are modified.

Usage: Add files with add(filename) prior to modification. Test with any_modified() which will return True if any of the checksums have been modified.

add(filename)[source]
any_modified()[source]
get_md5(filename)[source]
get_md5_for_directory(directory)[source]
class idstools.scripts.rulecat.IdRuleMatcher(generatorId, signatureId)[source]

Bases: object

Matcher object to match an idstools rule object by its signature ID.

match(rule)[source]
classmethod parse(match)[source]
class idstools.scripts.rulecat.ModifyRuleFilter(matcher, pattern, repl)[source]

Bases: object

Filter to modify an idstools rule object.

Important note: This filter does not modify the rule inplace, but instead returns a new rule object with the modification.

filter(rule)[source]
match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ReRuleMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by regular expression.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ThresholdProcessor[source]
extract_pattern(buf)[source]
extract_regex(buf)[source]
patterns = [<_sre.SRE_Pattern object at 0x7fa058637ad8>, <_sre.SRE_Pattern object at 0x7fa05874d768>, <_sre.SRE_Pattern object at 0x7fa0583ac940>]
process(filein, fileout, rulemap)[source]
replace(threshold, rule)[source]
idstools.scripts.rulecat.build_report(prev_rulemap, rulemap)[source]

Build a report of changes between 2 rulemaps.

Returns a dict with the following keys that each contain a list of rules. - added - removed - modified

idstools.scripts.rulecat.build_rule_map(rules)[source]

Turn a list of rules into a mapping of rules.

In case of gid:sid conflict, the rule with the higher revision number will be used.

idstools.scripts.rulecat.dump_sample_configs()[source]
idstools.scripts.rulecat.load_drop_filters(filename)[source]
idstools.scripts.rulecat.load_filters(filename)[source]
idstools.scripts.rulecat.load_local_files(local, files)[source]

Load local files into the files dict.

idstools.scripts.rulecat.load_matchers(filename)[source]
idstools.scripts.rulecat.main()[source]
idstools.scripts.rulecat.parse_rule_match(match)[source]
idstools.scripts.rulecat.resolve_etopen_url(suricata_path)[source]
idstools.scripts.rulecat.resolve_etpro_url(etpro, suricata_path)[source]
idstools.scripts.rulecat.resolve_flowbits(rulemap, disabled_rules)[source]
idstools.scripts.rulecat.write_merged(filename, rulemap)[source]
idstools.scripts.rulecat.write_sid_msg_map(filename, rulemap, version=1)[source]
idstools.scripts.rulecat.write_to_directory(directory, files, rulemap)[source]
idstools.scripts.rulecat.write_yaml_fragment(filename, files)[source]

idstools.scripts.u2eve module

Read unified2 log files and output events as Suricata EVE JSON.

class idstools.scripts.u2eve.EveFilter(msgmap=None, classmap=None)[source]

Bases: object

filter(event)[source]
getprotobynumber(protocol)[source]
resolve_classification(event, default=None)[source]
resolve_msg(event, default=None)[source]
class idstools.scripts.u2eve.OutputWrapper(filename, fileobj=None)[source]

Bases: object

reopen()[source]
write(buf)[source]
idstools.scripts.u2eve.calculate_flow_id(event)[source]
idstools.scripts.u2eve.get_tzoffset(sec)[source]
idstools.scripts.u2eve.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2eve.main()[source]
idstools.scripts.u2eve.render_timestamp(sec, usec)[source]

idstools.scripts.u2fast module

Read unified2 log files and output events in “fast” style.

idstools.scripts.u2fast.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2fast.main()[source]
idstools.scripts.u2fast.print_event(event, msgmap, classmap)[source]
idstools.scripts.u2fast.print_time(sec, usec)[source]

idstools.scripts.u2json module

Read unified2 log files and output records as JSON.

class idstools.scripts.u2json.Formatter(msgmap=None, classmap=None)[source]

Bases: object

format(record)[source]
format_event(record)[source]
format_extra_data(record)[source]
format_packet(record)[source]
resolve_classification(event, default=None)[source]
resolve_msg(event, default=None)[source]
class idstools.scripts.u2json.OutputWrapper(filename, fileobj=None)[source]

Bases: object

reopen()[source]
write(buf)[source]
idstools.scripts.u2json.load_from_snort_conf(snort_conf, classmap, msgmap)[source]
idstools.scripts.u2json.main()[source]
idstools.scripts.u2json.rollover_hook(closed, opened)[source]

The rollover hook for the spool reader. Will delete the closed file.

idstools.scripts.u2spewfoo module

A python reimplementation of Snort’s u2spewfoo.

idstools.scripts.u2spewfoo.main()[source]
idstools.scripts.u2spewfoo.print_char(char)[source]
idstools.scripts.u2spewfoo.print_event(event)[source]
idstools.scripts.u2spewfoo.print_extra(extra)[source]
idstools.scripts.u2spewfoo.print_packet(packet)[source]
idstools.scripts.u2spewfoo.print_raw(raw)[source]
idstools.scripts.u2spewfoo.print_record(record)[source]
idstools.scripts.u2spewfoo.printable_chars(buf)[source]

Module contents