IDS Utility Library
py-idstools is a collection of Python libraries for working with IDS systems (typically Snort and Suricata).
- Snort/Suricata unified2 log file reading.
- Continuous unified2 directory spool reading with bookmarking (a’la Barnyard2).
- Parser and mapping for classification.config.
- Parser and mapping for gen-msg.map and sid-msg.map.
- Useful utility programs.
- u2json - Convert unified2 files or spool directories to JSON.
- gensidmsgmap - Easily create a sid-msg.map file from rule files, directories or a rule tarball.
- dumpdynamicrules - Helper for dumping Snort SO dynamic rule stubs.
- u2eve - Convert unified2 files to EVE compatible JSON.
- rulecat - Basic Suricata rule management tool.
- Python 2.7; Python 3.3 works but is not as well tested.
- Python 2.6 may work, but is not as well tested.
- Currently only tested on Linux.
Reading a Unified2 Spool Directory
The following code snippet will “tail” a unified log directory aggregating records into events:
from idstools import unified2 reader = unified2.SpoolEventReader("/var/log/snort", "unified2.log", follow=True) for event in reader: print(event)
Further documentation is located at http://idstools.readthedocs.org.
- New tool: idstools-dumpdynamicrules. A wrapper around Snort to dump dynamic rule stubs and optionally repack the tarball with the new stubs.
- New tool: idstools-u2eve. Basically a copy of the current u2json, but will aim to keep a compatible eve output style. idstools-u2json will probably become more of a basic example program.
- A basic packet decoding module.
- New tool: rulecat. A basic Suricata rule management tool.
- Fix reading of growing file on OS X.
- Fix error in parsing decoder rules introduced in 0.4.3.
- Make the rule direction an accessible field of the rule object.
- Fix issue loading signature map files (GitHub issue #2).
- Fix IPv6 address unpacking.
- In u2json, if the protocol number can’t be converted to a string, encode the number as a string for a consistent JSON data type.
- New tool, u2json to convert unified2 files to JSON.
- Support the new appid unified2 event types introduced in Snort 184.108.40.206.alpha.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size idstools-0.5.0.tar.gz (50.4 kB)||File type Source||Python version None||Upload date||Hashes View|