Rule Parsing¶

The idstools rule parsing can parse individual rule strings as well as multiple rules from a file or file like objects.

The Rule Object¶

The parsing functions will return one, or a list of Rule objects that present the rule as a dictionary.

class idstools.rule.Rule(enabled=None, action=None, group=None)[source]

Class representing a rule.

The Rule class is a class that also acts like a dictionary.

Dictionary fields:

group: The group the rule belongs to, typically the filename.
enabled: True if rule is enabled (uncommented), False is disabled (commented)
action: The action of the rule (alert, pass, etc) as a string
proto: The protocol string of the rule.
source_addr: The source address string of the rule.
source_port: The source ports string of the rule.
direction: The direction string of the rule.
dest_addr: The destination address string of the rule.
dest_port: The destination ports string of the rule.
gid: The gid of the rule as an integer
sid: The sid of the rule as an integer
rev: The revision of the rule as an integer
msg: The rule message as a string
flowbits: List of flowbit options in the rule
metadata: Metadata values as a list
references: References as a list
classtype: The classification type
priority: The rule priority, 0 if not provided
raw: The raw rule as read from the file or buffer

Parameters:	enabled – Optional parameter to set the enabled state of the rule action – Optional parameter to set the action of the rule group – Optional parameter to set the group (filename) of the rule

Note

Parsed rules are primarily read only, with the exception of toggling the enabled state of the rule, modification is not really supported.

Parsing¶

rule.parse(group=None)

Parse a single rule for a string buffer.

Parameters:	buf – A string buffer containing a single Snort-like rule
Returns:	An instance of of `Rule` representing the parsed rule

rule.parse_fileobj(group=None)

Parse multiple rules from a file like object.

Note: At this time rules must exist on one line.

Parameters:	fileobj – A file like object to parse rules from.
Returns:	A list of `Rule` instances, one for each rule parsed

rule.parse_file(group=None)

Parse multiple rules from the provided filename.

Parameters:	filename – Name of file to parse rules from
Returns:	A list of `Rule` instances, one for each rule parsed

Printing¶

The string representation of the object will print the full rule respecting the enabled option of the rule.

For example:

>>> idstools.rule.parse('alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)')
>>> rule = idstools.rule.parse('alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)')
>>> print(rule)
alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)
>>> rule["enabled"] = False
>>> print(rule)
# alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)

A brief description of the rule can be printed with idstools.rule.Rule.brief() or a string representing the rule ID can be printed with idstools.rule.Rule.idstr().

Flowbit Resolution¶

The idstools.rule.FlowbitResolver is able to resolve the flowbits for a set of rules presented as a dictionary.

Rule Parsing¶

The Rule Object¶

Parsing¶

Printing¶

Flowbit Resolution¶

Table of Contents

Previous topic

Next topic

This Page