idstools.maps module

Provide mappings from ID’s to descriptions.

Includes mapping classes for event ID messages and classification information.

class idstools.maps.ClassificationMap(fileobj=None)[source]

Bases: object

ClassificationMap maps classification IDs and names to a dict object describing a classification.

Parameters:fileobj – (Optional) A file like object to load classifications from on initialization.

The classification dicts stored in the map have the following fields:

  • name (string)
  • description (string)
  • priority (int)

Example:

>>> from idstools import maps
>>> classmap = maps.ClassificationMap()
>>> classmap.load_from_file(open("tests/classification.config"))

>>> classmap.get(3)
{'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'}
>>> classmap.get_by_name("bad-unknown")
{'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'}
add(classification)[source]

Add a classification to the map.

get(class_id)[source]

Get a classification by ID.

Parameters:class_id – The classification ID to get.
Returns:A dict describing the classification or None.
get_by_name(name)[source]

Get a classification by name.

Parameters:name – The name of the classification
Returns:A dict describing the classification or None.
load_from_file(fileobj)[source]

Load classifications from a Snort style classification.config file object.

size()[source]
class idstools.maps.SignatureMap[source]

Bases: object

SignatureMap maps signature IDs to a signature info dict.

The signature map can be build up from classification.config, gen-msg.map, and new and old-style sid-msg.map files.

The dict’s in the map will have at a minimum the following fields:

  • gid (int)
  • sid (int)
  • msg (string)
  • refs (list of strings)

Signatures loaded from a new style sid-msg.map file will also have rev, classification and priority fields.

Example:

>>> from idstools import maps
>>> sigmap = maps.SignatureMap()
>>> sigmap.load_generator_map(open("tests/gen-msg.map"))
>>> sigmap.load_signature_map(open("tests/sid-msg-v2.map"))
>>> print(sigmap.get(1, 2495))
{'classification': 'misc-attack', 'rev': 8, 'priority': 0, 'gid': 1,
'sid': 2495,
'msg': 'GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt',
'ref': ['bugtraq,8811', 'cve,2003-0813', 'nessus,12206',
'url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx']}
get(generator_id, signature_id)[source]

Get signature info by generator_id and signature_id.

Parameters:
  • generator_id – The generator id of the signature to lookup.
  • signature_id – The signature id of the signature to lookup.

For convenience, if the generator_id is 3 and the signature is not found, a second lookup will be done using a generator_id of 1.

load_generator_map(fileobj)[source]

Load the generator message map (gen-msg.map) from a file-like object.

load_signature_map(fileobj, defaultgid=1)[source]

Load signature message map (sid-msg.map) from a file-like object.

size()[source]