Awesome
suricataparser
Pure python package for parsing and generating Snort/Suricata rules.
Installation
via pip:
pip install suricataparser
via Poetry:
poetry add suricataparser
Project status
Suricataparser completed, api is stable and frozen. If you found a bug, create an issue.
Usage examples
Parse file with rules:
from suricataparser import parse_file
rules = parse_file("suricata.rules")
Parse raw rule:
from suricataparser import parse_rule
rule = parse_rule('alert tcp any any -> any any (sid:1; gid:1;)')
Parse string with many rules:
from suricataparser import parse_rules
rules_object = "..."
rules = parse_rules(rules_object)
View rule properties:
>>> rule.sid
1
>>> rule.action
alert
>>> rule.header
tcp any any -> any any
>>> rule.msg
'"Msg"'
Turn on/off rule:
>>> rule.enabled
True
>>> rule.enabled = False
>>> print(rule)
# alert tcp any any -> any any (msg:"Msg"; sid:1; gid:1;)
Modify options:
>>> rule.add_option("http_uri")
>>> rule.add_option("key", "value")
>>> print(rule)
alert tcp any any -> any any (msg: "Msg"; sid: 1; gid: 1; http_uri; key: value;)
>>> rule.pop_option("key")
>>> print(rule)
alert tcp any any -> any any (msg: "Msg"; sid: 1; gid: 1; http_uri;)