search

theY4Kman / parsuricata

Parse Suricata rules
https://pypi.org/project/parsuricata/
MIT License
13 stars 3 forks source link

Parser is not fetching complete settings #16

Open reema93jain opened 1 year ago

reema93jain commented 1 year ago

Hi Team,

I am using parsuricata but I am seeing that parser is not able to parse settings correctly. Its parsing complete rule correctly but not the individual parts.

Ex: source=''' alert http $HOME_NET any -> !$HOME_NET any (msg: "hi mum!"; content: !"heymum") '''

When I am parsing settings from content its just showing heymum and not showing !heymum. Shouldn't it show everything after : ?

Code snippet: rules = parse_rules(source) --> parsing complete rule correctly rules[0].options[1].settings--> not parsing settings of content properly

image

Thanks Reema Jain

tlansec commented 1 year ago

Hey,

It looks like this is implemented as a bool on each Setting see:

https://github.com/theY4Kman/parsuricata/blob/master/test_parsuricata.py#L38

Cheers, Tom

reema93jain commented 1 year ago

Thanks Tom! I am trying to concatenate all values within 'content' in a rule. For ex: content:(!"heymum","windows",!"Linux") When I am running below command to check if content have negative values, its showing below error:

Error screenshot: image

Code: image

How I can make sure to capture the entire content settings(i.e. !"heymum)? Can you please guide?

Thanks Reema Jain

tlansec commented 1 year ago

Hey,

I am not sure that you can specify multiple negative matches within a content: field like that, e.g. will Suricata even accept that? For example I notice there are no rules in the ET set that are written that way, instead they all chain multiple negative content: matches like content:!"mystr"; content:!"otherstr"; . If the Suricata syntax does allow you to do that, then this library currently won't parse rules using that syntax.

For the single negation case, this works:

from parsuricata import parse_rules

source = '''
alert http $HOME_NET !80 -> !$HOME_NET any (msg: "hi mum!"; content:!"heymum";)
'''

parsed = parse_rules(source)

for opt in parsed[0].options:
    settings = opt.settings
    print(settings.is_negated)

Cheers, Tom

reema93jain commented 1 year ago

Thanks Tom! I tried running your code but still getting below error. Am I doing something wrong?

Error screenshot: image

Code: image

Thanks Reema Jain

reema93jain commented 1 year ago

Hi Tom,

I got the issue. I wasn't using ';' at the end of content:!"heymum";)

Thanks Reema Jain

reema93jain commented 1 year ago

Hi Tom,

I am facing one more issue. I want to display src_port ONLY WHEN it contains data(i.e. ports) other than 'any'. I am able to display src_port for positive values(ex: [23,45]) with if src_port !='any'. But its giving me no results when it has negative values (ex: ![23,45])

I tried different things but nothing is working.

Code1: image

Result1: image

Code2: image

Result2: image

If I just print src_port WITHOUT if src_port !='any', it captures '! ports' Code: image

Result: image

Can you please guide what I can do to capture ports information other than 'any'? Same is true for dst_port.

Thanks, Reema Jain

reema93jain commented 1 year ago

Hi,

I was able to resolve above issue. src_port with negative values(ex: ![23,45]) can be fetched using rules[0].src_port=='negated'.

Thanks Reema Jain