Support parsing of new snort3 rule types #100
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
snort3 introduces three new rule types: service rules, file rules and file identification rules. The options of these type have the same syntax, they only differ in the header: * Service rules have a two word header: _action_ _service_ where service is the name of an application level protocol, e.g. http, imap, ... * File rules have a two word header: _action_ `file` and action is one of the normal snort actions. * File identification rules have the fixed one word header `file_id`. The patch also adds support for the "rewrite" option that had already been introduced in snort2 The part of the `parse` function that deals with the header was moved into a separate function: `parse_header`. We note that the first two words of a snort rule can not contain spaces, so these can be split off immediately and allow us to handle all new cases. The rest of the header analysis starts with the 3rd word and is mostly unchanged from before. The new parse_header function returns the dict with the header keys or None if the header does not look like a valid snort rule.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
snort3 introduces three new rule types: service rules, file rules and file identification rules. The options of these type have the same syntax, they only differ in the header:
fileand action is one of the normal snort actions.file_id.The patch also adds support for the "rewrite" option that had already been introduced in snort2
The part of the
parsefunction that deals with the header was moved into a separate function:parse_header. We note that the first two words of a snort rule can not contain spaces, so these can be split off immediately and allow us to handle all new cases. The rest of the header analysis starts with the 3rd word and is mostly unchanged from before.The new parse_header function returns the dict with the header keys or None if the header does not look like a valid snort rule.