/py-suricataparser

Pure python parser for Snort/Suricata rules.

Primary LanguagePythonApache License 2.0Apache-2.0

suricataparser

pypi-version py-versions license CI

Pure python package for parsing and generating Snort/Suricata rules.

Installation

via pip:

pip install suricataparser

via Poetry:

poetry add suricataparser

Project status

Suricataparser completed, api is stable and frozen. If you found a bug, create an issue.

Usage examples

Parse file with rules:

from suricataparser import parse_file

rules = parse_file("suricata.rules")

Parse raw rule:

from suricataparser import parse_rule

rule = parse_rule('alert tcp any any -> any any (sid:1; gid:1;)')

Parse string with many rules:

from suricataparser import parse_rules

rules_object = "..."
rules = parse_rules(rules_object)

View rule properties:

>>> rule.sid
1

>>> rule.action
alert

>>> rule.header
tcp any any -> any any

>>> rule.msg
'"Msg"'

Turn on/off rule:

>>> rule.enabled
True

>>> rule.enabled = False
>>> print(rule)
# alert tcp any any -> any any (msg:"Msg"; sid:1; gid:1;)

Modify options:

>>> rule.add_option("http_uri")
>>> rule.add_option("key", "value")
>>> print(rule)
alert tcp any any -> any any (msg: "Msg"; sid: 1; gid: 1; http_uri; key: value;)

>>> rule.pop_option("key")
>>> print(rule)
alert tcp any any -> any any (msg: "Msg"; sid: 1; gid: 1; http_uri;)