{ "info": { "author": "Philip Martin", "author_email": "phillip.martin@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: Developers", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Programming Language :: Python", "Topic :: Security", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": "snortsig\n========\n\n|Build Status| A read-only (for now) interface to snort signatures using\npyparsing on the back end. You can parse signatures from multiple files,\nor just via a string. Once parsed, you can use the search() method to\nretrieve signatures with specific attributes.\n\nKnown Bugs\n----------\n\n- snortsig currently doesn't deal well with escaped semi-colons.\n- snortsig currently doesn't deal well with double quotes inside quoted\n fields.\n- snortsig can't write signatures back out to strings or files.\n\nExample\n-------\n\nGet a count of enabled and disabled signatures from a downloaded copy of\nthe VRT community ruleset:\n\n::\n\n In [1]: ss=snortsig.SnortSig()\n\n In [2]: ss.fromFile(\"community.rules\")\n\n In [3]: len(ss.search(\"0\",attribute='disabled'))\n Out[3]: 495\n\n In [4]: len(ss.search(\"1\",attribute='disabled'))\n Out[4]: 2507\n\n In [5]: len(ss.search(\"\", exact=False))\n Out[5]: 3002\n\nWhich signatures were unparsable?\n\n::\n\n In [11]: ss.unparsed()\n Out[11]:\n ['# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"SERVER-IIS Al\n ternate Data streams ASP file access attempt\"; flow:to_server,established; conte\n nt:\".asp|3A 3A 24|DATA\"; nocase; http_uri; metadata:ruleset community, service h\n ttp; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; ref\n erence:url,support.microsoft.com/default.aspx?scid=kb\\\\;EN-US\\\\;q188806; classty\n pe:web-application-attack; sid:975; rev:26;)',\n '']\n\nOf all of the enabled signatures, which classtypes are the most common?\n\n::\n\n In [1]: enabled = ss.search(\"0\",attribute='disabled')\n\n In [2]: collections.Counter([e['options']['classtype'][0] for e in enabled])\n Out[2]: Counter({'trojan-activity': 451, 'attempted-recon': 27, 'misc-activity'\n : 10, 'attempted-admin': 4, 'bad-unknown': 1, 'network-scan': 1, 'unsuccessful-u\n ser': 1})\n\nOf all of the disabled signatures, which classtypes are the most common?\n\n::\n\n In [1]: disabled = ss.search(\"1\",attribute='disabled')\n\n In [2]: collections.Counter([e['options']['classtype'][0] for e in disabled])\n Out[2]: Counter({'web-application-activity': 479, 'attempted-user': 343, 'attem\n pted-recon': 332, 'web-application-attack': 267, 'attempted-admin': 220, 'misc-a\n ctivity': 164, 'trojan-activity': 155, 'protocol-command-decode': 112, 'misc-att\n ack': 101, 'rpc-portmap-decode': 83, 'attempted-dos': 60, 'policy-violation': 52\n , 'bad-unknown': 44, 'shellcode-detect': 26, 'suspicious-login': 16, 'successful\n -admin': 9, 'unsuccessful-user': 9, 'network-scan': 6, 'suspicious-filename-dete\n ct': 6, 'default-login-attempt': 6, 'system-call-detect': 5, 'successful-recon-l\n imited': 4, 'unknown': 2, 'denial-of-service': 2, 'string-detect': 2, 'successfu\n l-user': 1, 'non-standard-protocol': 1})\n\nHow many signatures use the 'itype' attribute?\n\n::\n\n In [1]: len(ss.search(\"\",attribute='itype',exact=False))\n Out[1]: 123\n\nHow To Use\n----------\n\nInstall\n~~~~~~~\n\n::\n\n pip install snortsig\n\nImport\n~~~~~~\n\n::\n\n import snortsig\n\nInstantiate\n~~~~~~~~~~~\n\n::\n\n ss=snortsig.SnortSig()\n ss.fromFile(\"community.rules\")\n ss.fromFile(\"emerging-all.rules\")\n ss.fromString('alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"MALWARE-CNC Sality logo.gif URLs\"; flow:to_server,established; content:\"/logo.gif?\"; fast_pattern:only; http_uri; pcre:\"/\\x2Flogo\\.gif\\x3F[0-9a-f]{5,7}=\\d{5,7}/Ui\"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fSality.AT; classtype:trojan-activity; sid:24255; rev:3;)')\n\nfromString(string)\n~~~~~~~~~~~~~~~~~~\n\nParse the provided string and extract the snort signatures\n\nfromFile(file)\n~~~~~~~~~~~~~~\n\nRead the supplied file and feed it to fromString()\n\ngetall()\n~~~~~~~~\n\nReturn all parsed signatures as a list of signature dicts.\n\nsearch(term, attribute=None, exact=False)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSearch through all imported signatures and return those that match the\nquery as a list of signature dicts. \\* term is a string to match. \\*\nattribute is the name of an option or header to search. If attribute is\nNone, search all options and headers. \\* exact controls the match type,\nexact or substring.\n\nFor example, return all signatures with the pcre option:\n\n::\n\n search(\"\",attribute=\"pcre\",exact=False)\n\nunparsed()\n~~~~~~~~~~\n\nReturn all signatures that failed parsing as a list of strings\n\nWork with individual signatures\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nRather than create an object to encapsulate a single snort signature, we\njust stuff the signature into a dict. The overall concept should be\nfairly easy to grok if you understand snort signature syntax, but there\nare a couple of non-obvious bits:\n\n- the 'disabled' key indicates the presence (1) or absence (0) of a\n hash mark before the signature at import time.\n- the options key holds all of the rule options.\n- for payload detection options that take modifiers, the modifiers are\n grouped with the option to which they apply\n- order is preserved\n- all of the values are lists. Where options have multiple values (or\n there are multiple instances of an option), the lists may be nested.\n Where options have simple string values, the top level list contains\n a strings. This is done to maintain consistent semantics when\n accessing data.\n\nExample signature dict:\n\n::\n\n {'action': ['alert'],\n 'direction': ['->'],\n 'disabled': ['1'],\n 'dst': ['$SMTP_SERVERS'],\n 'dst_port': ['25'],\n 'options': {'classtype': ['attempted-admin'],\n 'content': ['|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+',\n ['fast_pattern', 'only']],\n 'flow': ['to_server', 'established'],\n 'metadata': [['ruleset', 'community'], ['service', 'smtp']],\n 'msg': ['SERVER-MAIL x86 windows MailMax overflow'],\n 'reference': [['bugtraq', '2312'], ['cve', '1999-0404']],\n 'rev': ['13'],\n 'sid': ['310']},\n 'protocol': ['tcp'],\n 'src': ['$EXTERNAL_NET'],\n 'src_port': ['any']}\n\n.. |Build Status| image:: https://travis-ci.org/Phillipmartin/snortsig.svg?branch=master\n :target: https://travis-ci.org/Phillipmartin/snortsig", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://www.github.com/Phillipmartin/snortsig", "keywords": null, "license": "MIT", "maintainer": null, "maintainer_email": null, "name": "snortsig", "package_url": "https://pypi.org/project/snortsig/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/snortsig/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://www.github.com/Phillipmartin/snortsig" }, "release_url": "https://pypi.org/project/snortsig/0.2/", "requires_dist": null, "requires_python": null, "summary": "A module to simplify working with Snort signatures", "version": "0.2" }, "last_serial": 1171113, "releases": { "0.1": [ { "comment_text": "", "digests": { "md5": "0714022cf40e341b9c191bb25f493b4f", "sha256": "6b7276ee675655735dd3425fa17c73c383c1ebdf00f261170c37a366edb55b2e" }, "downloads": -1, "filename": "snortsig-0.1-py2.7.egg", "has_sig": false, "md5_digest": "0714022cf40e341b9c191bb25f493b4f", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 9437, "upload_time": "2014-06-29T01:56:53", "url": "https://files.pythonhosted.org/packages/42/c5/6a65aee69e308251b3cd0aacc9b7b61d51bae6990c831d4f79b23da97377/snortsig-0.1-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "b0080b19c3ef8e18f31dedea8089e4e3", "sha256": "a0417c9d0a7e5f87fc57f411db6cf7905e7820d5215f8327ff52c23aeeef2043" }, "downloads": -1, "filename": "snortsig-0.1.tar.gz", "has_sig": false, "md5_digest": "b0080b19c3ef8e18f31dedea8089e4e3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6924, "upload_time": "2014-06-29T01:56:51", "url": "https://files.pythonhosted.org/packages/13/4f/651731606c17b8c17b3e5b62fe0f1d5ffa58c1bf7e5552a521150189ba52/snortsig-0.1.tar.gz" } ], "0.2": [ { "comment_text": "", "digests": { "md5": "5239ca11147a82c69bd86ff475cc62e8", "sha256": "1280874967e5d294a1e8e4839935880dfc87d5724d3e94a8031f103baee06b03" }, "downloads": -1, "filename": "snortsig-0.2-py2.7.egg", "has_sig": false, "md5_digest": "5239ca11147a82c69bd86ff475cc62e8", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 9460, "upload_time": "2014-07-27T22:00:36", "url": "https://files.pythonhosted.org/packages/1c/98/f36cedc8c2ffc2bcc23cda2420133053f4c28720f141c065d719e0458665/snortsig-0.2-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "80a063035d3c292d4f1b94a8158d6bf7", "sha256": "c172f9c820a158a726da8aa2aa1e8de3c0b9ea909af3321721401f8a2780270f" }, "downloads": -1, "filename": "snortsig-0.2.tar.gz", "has_sig": false, "md5_digest": "80a063035d3c292d4f1b94a8158d6bf7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7598, "upload_time": "2014-07-27T22:00:33", "url": "https://files.pythonhosted.org/packages/41/23/de02b34292432b20cd0c0b53f25c7e9037851e50e04b782083ff2494ed2a/snortsig-0.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "5239ca11147a82c69bd86ff475cc62e8", "sha256": "1280874967e5d294a1e8e4839935880dfc87d5724d3e94a8031f103baee06b03" }, "downloads": -1, "filename": "snortsig-0.2-py2.7.egg", "has_sig": false, "md5_digest": "5239ca11147a82c69bd86ff475cc62e8", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 9460, "upload_time": "2014-07-27T22:00:36", "url": "https://files.pythonhosted.org/packages/1c/98/f36cedc8c2ffc2bcc23cda2420133053f4c28720f141c065d719e0458665/snortsig-0.2-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "80a063035d3c292d4f1b94a8158d6bf7", "sha256": "c172f9c820a158a726da8aa2aa1e8de3c0b9ea909af3321721401f8a2780270f" }, "downloads": -1, "filename": "snortsig-0.2.tar.gz", "has_sig": false, "md5_digest": "80a063035d3c292d4f1b94a8158d6bf7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7598, "upload_time": "2014-07-27T22:00:33", "url": "https://files.pythonhosted.org/packages/41/23/de02b34292432b20cd0c0b53f25c7e9037851e50e04b782083ff2494ed2a/snortsig-0.2.tar.gz" } ] }