https://github.com/google/gonids

gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/
https://github.com/google/gonids

ids network network-security parse security-tools suricata

Last synced: about 1 month ago
JSON representation

gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/

• Host: GitHub
• URL: https://github.com/google/gonids
• Owner: google
• License: apache-2.0
• Created: 2016-11-17T19:50:26.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2022-12-14T05:13:15.000Z (almost 2 years ago)
• Last Synced: 2024-08-02T07:11:22.936Z (4 months ago)
• Topics: ids, network, network-security, parse, security-tools, suricata
• Language: Go
• Homepage:
• Size: 392 KB
• Stars: 178
• Watchers: 13
• Forks: 50
• Open Issues: 8
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING
  • License: LICENSE

Awesome Lists containing this project

• awesome-suricata - gonids - Go library to parse intrusion detection rules for engines like Snort and Suricata. (Programming Libraries and Toolkits)

README

        
gonids is a library to parse IDS rules for engines like Snort and Suricata.

### Installation

```

$ go get github.com/google/gonids

```

### Quick Start

Add this import line to the file you're working in:

```

import "github.com/google/gonids"

```

To parse a rule:

```

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)`

r, err := gonids.ParseRule(rule)

if err != nil {

  // Handle parse error

}

// Do something with your rule.

switch r.Action {

case "alert":

  // This is an 'alert' rule.

case "drop":

  // This is a 'drop' rule.

case "pass":

  // This is a 'pass' rule.

default:

  // I have no idea what this would be. =)

}

```

To create a rule a DNS rule (using dns_query sticky buffer) and print it:

```

r := gonids.Rule{

	Action:   "alert",

	Protocol: "dns",

	Source: Network{

		Nets:  []string{"any"},

		Ports: []string{"any"},

	},

	Destination: Network{

		Nets:  []string{"any"},

		Ports: []string{"any"},

	},

	SID:         1234,

	Revision:    1,

}

badDomain := "c2.evil.com"

dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain)

sb, _ := gonids.StickyBuffer("dns_query")

c := &gonids.Content{

			DataPosition: sb,

			Pattern:      []byte(badDomain),

			Options: []*gonids.ContentOption{

				{"nocase", ""},

			},

		}

}

fmt.Println(r)

```

To optimize a Snort HTTP rule for Suricata:

```

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)`

r, err := gonids.ParseRule(rule)

if err != nil {

  // Handle parse error

}

r.OptimizeHTTP()

```

### Miscellaneous

This is not an official Google product.