package documentation
Module for parsing Snort-like rules.
Parsing is done using regular expressions and the job of this module is to do its best at parsing out fields of interest from the rule rather than perform a sanity check.
The methods that parse multiple rules for a provided input (parse_file, parse_fileobj) return a list of rules instead of dict keyed by ID as its not the job of this module to detect or deal with duplicate signature IDs.
From __init__.py:
| Class | |
No class docstring; 0/1 instance variable, 0/2 class variable, 1/6 method documented |
| Class | |
Class representing a rule. |
| Function | add |
Undocumented |
| Function | enable |
Helper function to resolve flowbits, wrapping the FlowbitResolver class. |
| Function | find |
Find the end of an option (;) handling escapes. |
| Function | format |
Format a rule as a sid-msg.map entry. |
| Function | format |
Format a rule as a v2 sid-msg.map entry. |
| Function | parse |
Parse a single rule for a string buffer. |
| Function | parse |
Parse multiple rules from the provided filename. |
| Function | parse |
Parse multiple rules from a file like object. |
| Function | remove |
Undocumented |
| Variable | actions |
Undocumented |
| Variable | logger |
Undocumented |
| Variable | rule |
Undocumented |
Format a rule as a v2 sid-msg.map entry.
eg: gid || sid || rev || classification || priority || msg || ref0 || refN
Parse a single rule for a string buffer.
| Parameters | |
| buf | A string buffer containing a single Snort-like rule |
| group | Undocumented |
| Returns | |
An instance of of .Rule representing the parsed rule | |
Parse multiple rules from the provided filename.
| Parameters | |
| filename | Name of file to parse rules from |
| group | Undocumented |
| Returns | |
A list of .Rule instances, one for each rule parsed | |