idstools.maps module

Provide mappings from ID’s to descriptions.

Includes mapping classes for event ID messages and classification information.

class idstools.maps.ClassificationMap(fileobj=None)[source]

Bases: object

ClassificationMap maps classification IDs and names to a dict object describing a classification.

Parameters:fileobj – (Optional) A file like object to load classifications from on initialization.

The classification dicts stored in the map have the following fields:

  • name (string)
  • description (string)
  • priority (int)


>>> from idstools import maps
>>> classmap = maps.ClassificationMap()
>>> classmap.load_from_file(open("tests/classification.config"))

>>> classmap.get(3)
{'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'}
>>> classmap.get_by_name("bad-unknown")
{'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'}

Add a classification to the map.


Get a classification by ID.

Parameters:class_id – The classification ID to get.
Returns:A dict describing the classification or None.

Get a classification by name.

Parameters:name – The name of the classification
Returns:A dict describing the classification or None.

Load classifications from a Snort style classification.config file object.

class idstools.maps.SignatureMap[source]

Bases: object

SignatureMap maps signature IDs to a signature info dict.

The signature map can be build up from classification.config,, and new and old-style files.

The dict’s in the map will have at a minimum the following fields:

  • gid (int)
  • sid (int)
  • msg (string)
  • refs (list of strings)

Signatures loaded from a new style file will also have rev, classification and priority fields.


>>> from idstools import maps
>>> sigmap = maps.SignatureMap()
>>> sigmap.load_generator_map(open("tests/"))
>>> sigmap.load_signature_map(open("tests/"))
>>> print(sigmap.get(1, 2495))
{'classification': 'misc-attack', 'rev': 8, 'priority': 0, 'gid': 1,
'sid': 2495,
'msg': 'GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt',
'ref': ['bugtraq,8811', 'cve,2003-0813', 'nessus,12206',
get(generator_id, signature_id)[source]

Get signature info by generator_id and signature_id.

  • generator_id – The generator id of the signature to lookup.
  • signature_id – The signature id of the signature to lookup.

For convenience, if the generator_id is 3 and the signature is not found, a second lookup will be done using a generator_id of 1.


Load the generator message map ( from a file-like object.

load_signature_map(fileobj, defaultgid=1)[source]

Load signature message map ( from a file-like object.