idstools.scripts.rulecat module

class idstools.scripts.rulecat.AllRuleMatcher[source]

Bases: object

Matcher object to match all rules.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.DropRuleFilter(matcher)[source]

Bases: object

Filter to modify an idstools rule object to a drop rule.

filter(rule)[source]
is_noalert(rule)[source]
match(rule)[source]
class idstools.scripts.rulecat.Fetch(args)[source]

Bases: object

check_checksum(tmp_filename, url)[source]
extract_files(filename)[source]
fetch(url)[source]
get_tmp_filename(url)[source]
progress_hook(content_length, bytes_read)[source]
progress_hook_finish()[source]
run()[source]
url_basename(url)[source]

Return the base filename of the URL.

class idstools.scripts.rulecat.FileTracker[source]

Bases: object

Used to check if files are modified.

Usage: Add files with add(filename) prior to modification. Test with any_modified() which will return True if any of the checksums have been modified.

add(filename)[source]
any_modified()[source]
md5(filename)[source]
class idstools.scripts.rulecat.FilenameMatcher(filename)[source]

Bases: object

Matcher object to match a rule by its filename. This is similar to a group but has no specifier prefix.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.GroupMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by its group (ie: filename).

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.IdRuleMatcher(generatorId, signatureId)[source]

Bases: object

Matcher object to match an idstools rule object by its signature ID.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ModifyRuleFilter(matcher, pattern, repl)[source]

Bases: object

Filter to modify an idstools rule object.

Important note: This filter does not modify the rule inplace, but instead returns a new rule object with the modification.

filter(rule)[source]
match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ReRuleMatcher(pattern)[source]

Bases: object

Matcher object to match an idstools rule object by regular expression.

match(rule)[source]
classmethod parse(buf)[source]
class idstools.scripts.rulecat.ThresholdProcessor[source]

Bases: object

extract_pattern(buf)[source]
extract_regex(buf)[source]
patterns = [re.compile('\\s+(re:"(.*)")'), re.compile('\\s+(re:(.*?)),.*'), re.compile('\\s+(re:(.*))')]
process(filein, fileout, rulemap)[source]
replace(threshold, rule)[source]
idstools.scripts.rulecat.build_report(prev_rulemap, rulemap)[source]

Build a report of changes between 2 rulemaps.

Returns a dict with the following keys that each contain a list of rules. - added - removed - modified

idstools.scripts.rulecat.build_rule_map(rules)[source]

Turn a list of rules into a mapping of rules.

In case of gid:sid conflict, the rule with the higher revision number will be used.

idstools.scripts.rulecat.dump_sample_configs()[source]
idstools.scripts.rulecat.ignore_file(ignore_files, filename)[source]
idstools.scripts.rulecat.load_drop_filters(filename)[source]
idstools.scripts.rulecat.load_filters(filename)[source]
idstools.scripts.rulecat.load_local(local, files)[source]

Load local files into the files dict.

idstools.scripts.rulecat.load_matchers(filename)[source]
idstools.scripts.rulecat.main()[source]
idstools.scripts.rulecat.parse_rule_match(match)[source]
idstools.scripts.rulecat.resolve_etopen_url(suricata_version)[source]
idstools.scripts.rulecat.resolve_etpro_url(etpro, suricata_version)[source]
idstools.scripts.rulecat.resolve_flowbits(rulemap, disabled_rules)[source]
idstools.scripts.rulecat.write_merged(filename, rulemap)[source]
idstools.scripts.rulecat.write_sid_msg_map(filename, rulemap, version=1)[source]
idstools.scripts.rulecat.write_to_directory(directory, files, rulemap)[source]
idstools.scripts.rulecat.write_yaml_fragment(filename, files)[source]