py-idstools
py-idstools copied to clipboard
Feature request: extract ruleset when parsing
The Rule
object has no ruleset
attribute.
Examples:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)
is from ET ruleset
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
is from SNORT GPL
Usually the ruleset is the first word in the Rule.msg
attribute, so it should not be difficult to extract. If someone does not use this convention it should be possible to opt-out this parsing function, maybe letting the parser get this value as an optional argument.
I'm not to sure about this one. I don't like to make guesses or assumptions. Do you have an example use case in mind?
If using the parser as a library in your own tool, I think its easy enough to add something like this post-parsing, but I don't think its deterministic enough to bake in.