## Intro
Snort rule tokenizer and parser written using PLY. This is my first tokenizer, parser and I may make improvements/changes as time goes on. The focus of this package currently is to allow programmatically working with snort rules, not necessarily detect the minutae of incorrect option combinations.
If you have any suggestions, ideas, or improvements feel free to open an issue. Inspiration drawn from plyara. Thanks to David Beazley for his work on the PLY package.
## Usage
```python
pip install SRParser
```
```python
from SRParser import SnortParser
data = '''
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; )
'''
parser = SnortParser()
my_rules = parser.parse_rules(data)
for rule in my_rules:
print(rule.__dict__)
```
```
{'action': 'alert', 'protocol': 'tcp', 'source_ip': '$HTTP_SERVERS', 'source_port': '$HTTP_PORTS', 'direction': '->', 'dest_ip': '$EXTERNAL_NET', 'dest_port': 'any', 'body_options': [{'msg': '"INDICATOR-COMPROMISE file copied ok"'}, {'flow': 'to_client,established'}, {'file_data': ';'}, {'content': '"1 file|28|s|29| copied",fast_pattern,nocase'}, {'metadata': 'policy max-detect-ips drop,ruleset
community'}, {'service': 'http'}, {'reference': 'bugtraq,1806'}, {'reference': 'cve,2000-0884'}, {'classtype': 'bad-unknown'}, {'sid': '497'}, {'rev': '21'}], 'raw_text': 'alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied",fast_pattern,nocase; metadata:policy max-detect-ips
drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; )', 'service_rule': False}
```
Raw data
{
"_id": null,
"home_page": "https://www.github.com/jrbrawner/SnortParser",
"name": "SRParser",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "snort rule parser",
"author": "Joshua Brawner",
"author_email": "jrbbrawner@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/85/a0/3ffdf888ebcf8e3d00ed1afc465a89a8450e1cc77b2dbc4d918b07adce9c/SRParser-1.0.1.tar.gz",
"platform": null,
"description": "## Intro\r\n\r\nSnort rule tokenizer and parser written using PLY. This is my first tokenizer, parser and I may make improvements/changes as time goes on. The focus of this package currently is to allow programmatically working with snort rules, not necessarily detect the minutae of incorrect option combinations.\r\n\r\nIf you have any suggestions, ideas, or improvements feel free to open an issue. Inspiration drawn from plyara. Thanks to David Beazley for his work on the PLY package.\r\n\r\n## Usage\r\n\r\n```python\r\npip install SRParser\r\n```\r\n\r\n```python\r\nfrom SRParser import SnortParser\r\n\r\ndata = '''\r\nalert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:\"INDICATOR-COMPROMISE file copied ok\"; flow:to_client,established; file_data; content:\"1 file|28|s|29| copied\",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; )\r\n'''\r\n\r\nparser = SnortParser()\r\nmy_rules = parser.parse_rules(data)\r\n\r\nfor rule in my_rules:\r\n print(rule.__dict__)\r\n```\r\n\r\n```\r\n{'action': 'alert', 'protocol': 'tcp', 'source_ip': '$HTTP_SERVERS', 'source_port': '$HTTP_PORTS', 'direction': '->', 'dest_ip': '$EXTERNAL_NET', 'dest_port': 'any', 'body_options': [{'msg': '\"INDICATOR-COMPROMISE file copied ok\"'}, {'flow': 'to_client,established'}, {'file_data': ';'}, {'content': '\"1 file|28|s|29| copied\",fast_pattern,nocase'}, {'metadata': 'policy max-detect-ips drop,ruleset \r\ncommunity'}, {'service': 'http'}, {'reference': 'bugtraq,1806'}, {'reference': 'cve,2000-0884'}, {'classtype': 'bad-unknown'}, {'sid': '497'}, {'rev': '21'}], 'raw_text': 'alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:\"INDICATOR-COMPROMISE file copied ok\"; flow:to_client,established; file_data; content:\"1 file|28|s|29| copied\",fast_pattern,nocase; metadata:policy max-detect-ips \r\ndrop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; )', 'service_rule': False}\r\n```\r\n",
"bugtrack_url": null,
"license": "Apache Software License",
"summary": "Parse and easily work with Snort rules.",
"version": "1.0.1",
"project_urls": {
"Homepage": "https://www.github.com/jrbrawner/SnortParser"
},
"split_keywords": [
"snort",
"rule",
"parser"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "85a03ffdf888ebcf8e3d00ed1afc465a89a8450e1cc77b2dbc4d918b07adce9c",
"md5": "44d54ed5a167f499db999dbd75220ba5",
"sha256": "2608c448d3523743ef4afe5112a775a08ddf3cd0c6bf4c56f33900a8b5cb4b90"
},
"downloads": -1,
"filename": "SRParser-1.0.1.tar.gz",
"has_sig": false,
"md5_digest": "44d54ed5a167f499db999dbd75220ba5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 10364,
"upload_time": "2023-07-13T22:48:22",
"upload_time_iso_8601": "2023-07-13T22:48:22.534456Z",
"url": "https://files.pythonhosted.org/packages/85/a0/3ffdf888ebcf8e3d00ed1afc465a89a8450e1cc77b2dbc4d918b07adce9c/SRParser-1.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-07-13 22:48:22",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "jrbrawner",
"github_project": "SnortParser",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "srparser"
}