Comments (4)
The usage of the group field is actually to contain the filename the rule was extracted from (see https://github.com/jasonish/py-idstools/blob/master/idstools/scripts/rulecat.py#L749). Rulecat then has a keyword, "group:" to enable/disable rules based on their group.
I do see use for what you are suggesting, but perhaps under a different name than group? Or perhaps the filename was misnamed, and should be something else.
From this blog post http://blog.snort.org/2012/03/rule-category-reorganization.html, it looks like Talos refers to the filename and the leading all caps in the message as a category. Perhaps the rule parser should parse out this all caps data as "category" and not group - keeping group as the filename.
from py-idstools.
Referring this attribute as category
will be ok.
Perhaps the rule parser should parse out this all caps data as "category" and not group - keeping group as the filename.
I think that category
is just the second uppercase word of the msg
, considering also the first word or the third would cause some issue. IMO the category should enrich the information given by the classtype
attribute, adding context.
These are some example of categorization:
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)
should be categorized just as TROJAN because this is the main information about the ruleET TROJAN WORM_VOBFUS Requesting exe
will also be categorized as TROJAN, but should not be categorized as WORM_VOBFUS because it does not make sense to have a category just for one malwareGPL TROJAN BackOrifice access
will also be categorized as TROJAN, not GPL TROJANGPL SMTP OUTBOUND bad file attachment
will be categorized as SMTP, the OUTBOUND is not a categorization informationGPL SMTP SMTP relaying denied
will be categorized as SMTP, this is an example also shows the pattern used.
Rules coming from ET follow this convention on the msg
field:
<SET> <CATEGORY> <description>
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)
should be parsed as:
set
-> ET
category
-> TROJAN
description
-> ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)
However, looking into Talos' rules for SNORT, I noticed they use a different convention on `msg:
<CATEGORY>-<SUBCATEGORY> <description>
MALWARE-BACKDOOR NetBus Pro 2.0 connection established
should be parsed as:
category
-> MALWARE
subcategory
-> BACKDOOR
description
-> NetBus Pro 2.0 connection established
With this in mind I think that a better solution whould be to add some code to the parser that can recognize if the msg
field is following one of the above mentioned conventions and then parsing the field according to this (so also the issue #42 will be included in the feature).
It whould be great if we can also make it work with other naming convention, but this will require more reasoning.
from py-idstools.
Going deeper in SNORT rules i foud that they use a more particular pattern to include metadata in the msg
field:
- the first uppercase word is the category
- the first uppercase word may be a dash-separated word, in this case the first part is the main category while the second seems to be a subcategory
- if the category is DELETED the second word is the previous category of the rule
With in mind I think that a parser to extract metadata from msg
field cannot work if we did not tell it what convention is in use. So i think that this feature, if approved, should be used by giving an explicit parameter and should not be enabled by default (to avoid unnecessary and error prone parsing).
Something like
def parse(buf, group=None, msg_metadata=None):
....
elif name == "msg":
....
rule[name] = val
if msg_metadata:
rule.parse_msg_metadat(msg_metadata)
from py-idstools.
Ok, this feature is out of scope.
If needed I will use it out of this library.
from py-idstools.
Related Issues (20)
- cannot parse rule HOT 2
- appStats u2 can't work HOT 1
- Bug: Multiple instances of rule options fields clobber eachother HOT 4
- Recent versions of Snort unified2 not supported. HOT 5
- Feature Request: ability to parse the source, destination, protocol using dictionary.
- SoolRecordReader stop working HOT 2
- eve2pcap.py fails with IPv6 addresses HOT 1
- python2-scapy as pkg dependency
- Connection with suricata-update HOT 2
- Coverting packets object to pcap file HOT 7
- Feature request: mutate metadata key value pairs
- Add .md5 extension between URL's filename and its parameters HOT 1
- Provide option for idstools-u2eve to reload sid-msg.map after updating sid-msg.map contents. HOT 1
- Unified2 Event Types mpls, vlan, and appid not included in u2eve output
- u2json event.appid output is in byte format and mangled
- Tests fail with python 3.11 HOT 1
- Rule parsing fails if last option doesn't close with semi-colon HOT 1
- memory usage increase issue HOT 3
- New release to support python 3.13 HOT 6
- Wrong parsing of pcre and possibly others
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from py-idstools.