Skip to content

Latest commit

 

History

History
23 lines (15 loc) · 1.2 KB

README.md

File metadata and controls

23 lines (15 loc) · 1.2 KB

snortparser

This is a fork of snortparser by g-rd. The original repo can be found at https://github.com/g-rd/snortparser.

Snort rule parser written in python. The main goal for this library is to validate snort rules and have them parsed into a workable dictionary object. A interactive python notebook can be found here.

The parser class accepts a snort rule as input and returns a dictionary that contains the parsed output.

from snortparser import Parser

# define a snort rule
rule = ('alert tcp $HOME_NET any -> !$EXTERNAL_NET any (msg:\"MALWARE-BACKDOOR - Dagger_1.4.0\"; flow:to_client,established; content:\"2|00 00 00 06 00 00 00|Drives|24 00|\"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)')

# parse the rule
parsed = Parser(rule)

# print the parsed rule
print(parsed.header)
print(parsed.options)

NOTE: If the parser is unable to parse the rule, it will return a ValueError with the invalid rule item. Additionally, it does not care about misplaced spaces in the headers ip and port definitions like: " alert tcp ![ 127.0.0.1, !8.8.8.8 ] any --> ". This is by design, since I am not sure if snort cares about header syntax that much.