README
¶
gonids is a library to parse IDS rules for engines like Snort and Suricata.
Installation
$ go get github.com/google/gonids
Quick Start
Add this import line to the file you're working in:
import "github.com/google/gonids"
To parse a rule:
rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
// Handle parse error
}
// Do something with your rule.
switch r.Action {
case "alert":
// This is an 'alert' rule.
case "drop":
// This is a 'drop' rule.
case "pass":
// This is a 'pass' rule.
default:
// I have no idea what this would be. =)
}
To create a rule a DNS rule (using dns_query sticky buffer) and print it:
r := gonids.Rule{
Action: "alert",
Protocol: "dns",
Source: Network{
Nets: []string{"any"},
Ports: []string{"any"},
},
Destination: Network{
Nets: []string{"any"},
Ports: []string{"any"},
},
SID: 1234,
Revision: 1,
}
badDomain := "c2.evil.com"
dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain)
sb, _ := gonids.StickyBuffer("dns_query")
c := &gonids.Content{
DataPosition: sb,
Pattern: []byte(badDomain),
Options: []*gonids.ContentOption{
{"nocase", ""},
},
}
}
fmt.Println(r)
To optimize a Snort HTTP rule for Suricata:
rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
// Handle parse error
}
r.OptimizeHTTP()
Miscellaneous
This is not an official Google product.
Documentation
¶
Overview ¶
Package gonids implements a basic parser of IDS rules.
For now the parser is very basic and it only parses a subset of fields. We intentionally omit http_encode as it doesn't seem to be used in practice.
Index ¶
- func FuzzParseRule(data []byte) int
- type ByteMatch
- type Content
- type ContentOption
- type DataPos
- type FastPattern
- type Flowbit
- type Flowint
- type LenMatch
- type Metadata
- type Metadatas
- type Network
- type PCRE
- type Reference
- type Rule
- func (r *Rule) ByteMatchers() []*ByteMatch
- func (r *Rule) CVE() string
- func (r *Rule) Contents() []*Content
- func (r *Rule) ExpensivePCRE() bool
- func (r *Rule) GetSidMsg() string
- func (r *Rule) HasVar(s string) bool
- func (r *Rule) InsertMatcher(m orderedMatcher, pos int) error
- func (r *Rule) LastContent() *Content
- func (r *Rule) LenMatchers() []*LenMatch
- func (r *Rule) NoReferences() bool
- func (r *Rule) OnlyShortContents() bool
- func (r *Rule) OptimizeHTTP() bool
- func (r *Rule) PCREs() []*PCRE
- func (r *Rule) RE() string
- func (r *Rule) ShouldBeHTTP() bool
- func (r *Rule) SnortHTTPHeader() bool
- func (r *Rule) SnortHTTPHeaderFix() bool
- func (r *Rule) SnortURILenFix() bool
- func (r Rule) String() string
- func (r *Rule) UpgradeToSuri5() bool
- type StreamCmp
- type TLSTag
- type UnsupportedOptionError
- type Xbit
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FuzzParseRule ¶
FuzzParseRule is used by OSS-Fuzz to fuzz the library.
Types ¶
type ByteMatch ¶
type ByteMatch struct {
// DataPosition defaults to pkt_data state, can be modified to apply to file_data, base64_data locations.
// This value will apply to all following contents, to reset to default you must reset DataPosition during processing.
DataPosition DataPos
// Kind is a specific operation type we're taking.
Kind byteMatchType
// Negate indicates negation of a value, currently only used for isdataat.
Negate bool
// A variable name being extracted by byte_extract.
Variable string
// Number of bytes to operate on. "bytes to convert" in Snort Manual. This can be an int, or a var from byte_extract.
NumBytes string
// Operator for comparison in byte_test.
Operator string
// Value to compare against using byte_test.
Value string
// Offset within given buffer to operate on.
Offset int
// Other specifics required for jump/test here. This might make sense to pull out into a "ByteMatchOption" later.
Options []string
}
ByteMatch describes a byte matching operation, similar to a Content.
type Content ¶
type Content struct {
// DataPosition defaults to pkt_data state, can be modified to apply to file_data, base64_data locations.
// This value will apply to all following contents, to reset to default you must reset DataPosition during processing.
DataPosition DataPos
// FastPattern settings for the content.
FastPattern FastPattern
// Pattern is the pattern match of a content (e.g. HTTP in content:"HTTP").
Pattern []byte
// Negate is true for negated content match.
Negate bool
// Options are the option associated to the content (e.g. http_header).
Options []*ContentOption
}
Content describes a rule content. A content is composed of a pattern followed by options.
func (*Content) FormatPattern ¶
FormatPattern returns a string for a Pattern in a content
func (Content) SnortHTTPHeader ¶
SnortHTTPHeader returns true if a specific content contains double CRLF at the end.
type ContentOption ¶
type ContentOption struct {
// Name is the name of the option (e.g. offset).
Name string
// Value is the value associated to the option, default to "" for option without value.
Value string
}
ContentOption describes an option set on a rule content.
func (ContentOption) String ¶
func (co ContentOption) String() string
String returns a string for a ContentOption.
type DataPos ¶
type DataPos int
DataPos indicates the data position for content matches. These should be referenced for creation by using their Suricata keywords and the StickyBuffer() function.
func StickyBuffer ¶
StickyBuffer returns the data position value for the string representation of a sticky buffer name (e.g. "file_data")
type FastPattern ¶
FastPattern describes various properties of a fast_pattern value for a content.
func (FastPattern) String ¶
func (f FastPattern) String() string
String returns a string for a FastPattern.
type LenMatch ¶
type LenMatch struct {
// DataPosition defaults to pkt_data state, can be modified to apply to file_data, base64_data locations.
// This value will apply to all following contents, to reset to default you must reset DataPosition during processing.
DataPosition DataPos
Kind lenMatchType
Min int
Max int
Num int
Operator string
Options []string
}
LenMatch holds the values to represent an Length Match.
type Metadata ¶
Metadata describes metadata tags in key-value struct.
func MetadataModifier ¶
MetadataModifier returns a metadata that identifies a given modification.
type Network ¶
type Network struct {
Nets []string // Currently just []string because these can be variables $HOME_NET, not a valid IPNet.
Ports []string // Currently just []string because these can be variables $HTTP_PORTS, not just ints.
}
Network describes the IP addresses and port numbers used in a rule. TODO: Ensure all values either begin with $ (variable) or they are valid IPNet/int.
type Reference ¶
type Reference struct {
// Type is the system name for the reference: (url, cve, md5, etc.)
Type string
// Value is the identifier in the system: (address, cvd-id, hash)
Value string
}
Reference describes a gonids reference in a rule.
type Rule ¶
type Rule struct {
// Disbled identifies if the rule is disabled/commented out.
Disabled bool
// Action is the action the rule will take (alert, pass, drop, etc.).
Action string
// Protocol is the protocol the rule looks at.
Protocol string
// Source is the address and ports for the source of the traffic.
Source Network
// Destination is the address and ports for the source of the traffic.
Destination Network
// Bidirectional indicates the directionality of a rule (-> or <>).
Bidirectional bool
// SID is the identifier of the rule.
SID int
// Revision is the revision of the rule.
Revision int
// Description is the msg field of the rule.
Description string
// References contains references associated to the rule (e.g. CVE number).
References []*Reference
// Contents are all the decoded content matches.
Tags map[string]string
// Statements is a slice of string. These items are similar to Tags, but have no value. (e.g. 'sameip;')
Statements []string
// TLSTags is a slice of TLS related matches.
TLSTags []*TLSTag
// StreamMatch holds stream_size parameters.
StreamMatch *StreamCmp
// Metas is a slice of Metadata.
Metas Metadatas
// Flowbits is a slice of Flowbit.
Flowbits []*Flowbit
// Xbits is a slice of Xbit
Xbits []*Xbit
// Flowints is a slice of Flowint
Flowints []*Flowint
// Matchers are internally used to ensure relative matches are printed correctly.
// Make this private before checkin?
Matchers []orderedMatcher
}
Rule describes an IDS rule.
func (*Rule) ByteMatchers ¶
ByteMatchers returns all *ByteMatch for a rule.
func (*Rule) ExpensivePCRE ¶
ExpensivePCRE returns true if a rule appears to use a PCRE without conditions that make it expensive to compute.
func (*Rule) InsertMatcher ¶
InsertMatcher will insert an ordered matcher at a position specified.
func (*Rule) LastContent ¶
LastContent returns the last *Content from Matchers
func (*Rule) LenMatchers ¶
LenMatchers returns all *LenMatch for a rule.
func (*Rule) NoReferences ¶
NoReferences returns true if there are no references in the rule.
func (*Rule) OnlyShortContents ¶
OnlyShortContents returns true if all Matchers are Contents and all matches are very short.
func (*Rule) OptimizeHTTP ¶
OptimizeHTTP tunes an old style rule to leverage port agnostic HTTP detection.
func (*Rule) ShouldBeHTTP ¶
ShouldBeHTTP returns true if a rule looks like the protocol should be http, but is not.
func (*Rule) SnortHTTPHeader ¶
SnortHTTPHeader returns true if any content contains double CRLF at the end.
func (*Rule) SnortHTTPHeaderFix ¶
SnortHTTPHeaderFix will fix broken http_header matches.
func (*Rule) SnortURILenFix ¶
SnortURILenFix will optimize a urilen keyword from a Snort rule for Suricata.
func (*Rule) UpgradeToSuri5 ¶
UpgradeToSuri5 optimizes a Suricata 4.x rule to Suricata 5.x features.
type StreamCmp ¶
type StreamCmp struct {
// Direction of traffic to inspect: server, client, both, either.
Direction string
// Operator is the comparison operator to apply >, <, !=, etc.
Operator string
// TODO: Can this number be a variable, if yes s/int/string.
// Number is the size to compare against
Number int
}
StreamCmp represents a stream comparison (stream_size:>20).
type TLSTag ¶
type TLSTag struct {
// Is the match negated (!).
Negate bool
// Key holds the thing we're inspecting (tls.version, tls.fingerprint, etc.).
Key string
// TODO: Consider string -> []byte and handle hex input.
// TODO: Consider supporting []struct if we can support things like: tls.version:!1.2,!1.3
// Value holds the value for the match.
Value string
}
TLSTag describes a TLS specific match (non-sticky buffer based).
type UnsupportedOptionError ¶
UnsupportedOptionError contains a partially parsed rule, and the options that aren't supported for parsing.
func (*UnsupportedOptionError) Error ¶
func (uoe *UnsupportedOptionError) Error() string
Error returns a string for UnsupportedOptionError
type Xbit ¶
type Xbit struct {
Action string
Name string
Track string
// Expire should be an int, default 0 value makes stringer difficult because this is an
// optional parameter. If we can confirm that this must be > 0 we can convert to int.
Expire string
}
Xbit describes an Xbit. TODO: Consider adding more structure to Track and Expire.
Source Files