Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/google/gonids
gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/
https://github.com/google/gonids
ids network network-security parse security-tools suricata
Last synced: about 1 month ago
JSON representation
gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/
- Host: GitHub
- URL: https://github.com/google/gonids
- Owner: google
- License: apache-2.0
- Created: 2016-11-17T19:50:26.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2022-12-14T05:13:15.000Z (almost 2 years ago)
- Last Synced: 2024-08-02T07:11:22.936Z (4 months ago)
- Topics: ids, network, network-security, parse, security-tools, suricata
- Language: Go
- Homepage:
- Size: 392 KB
- Stars: 178
- Watchers: 13
- Forks: 50
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING
- License: LICENSE
Awesome Lists containing this project
- awesome-suricata - gonids - Go library to parse intrusion detection rules for engines like Snort and Suricata. (Programming Libraries and Toolkits)
README
gonids is a library to parse IDS rules for engines like Snort and Suricata.
### Installation
```
$ go get github.com/google/gonids
```### Quick Start
Add this import line to the file you're working in:
```
import "github.com/google/gonids"
```To parse a rule:
```
rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
// Handle parse error
}
// Do something with your rule.
switch r.Action {
case "alert":
// This is an 'alert' rule.
case "drop":
// This is a 'drop' rule.
case "pass":
// This is a 'pass' rule.
default:
// I have no idea what this would be. =)
}
```To create a rule a DNS rule (using dns_query sticky buffer) and print it:
```
r := gonids.Rule{
Action: "alert",
Protocol: "dns",
Source: Network{
Nets: []string{"any"},
Ports: []string{"any"},
},
Destination: Network{
Nets: []string{"any"},
Ports: []string{"any"},
},
SID: 1234,
Revision: 1,
}badDomain := "c2.evil.com"
dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain)sb, _ := gonids.StickyBuffer("dns_query")
c := &gonids.Content{
DataPosition: sb,
Pattern: []byte(badDomain),
Options: []*gonids.ContentOption{
{"nocase", ""},
},
}
}fmt.Println(r)
```To optimize a Snort HTTP rule for Suricata:
```
rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
// Handle parse error
}
r.OptimizeHTTP()
```### Miscellaneous
This is not an official Google product.