search

theY4Kman / parsuricata

Parse Suricata rules
https://pypi.org/project/parsuricata/
MIT License
13 stars 3 forks source link

Tree to String #8

Closed jgrunzweig closed 2 years ago

jgrunzweig commented 3 years ago

Not sure if there's a way to easily accomplish this, but at present, if you specify a grouping for the source or destination, and attempt to convert it to a string, you are given (imo) unexpected results:

Test rule:

alert ip [127.0.0.1, 127.0.0.2] any -> ![8.8.8.8/24, 1.1.1.1] any (msg:"Test rule"; sid:12345678; rev:1;)

Example:

>>> import parsuricata
>>> test_rule = 'alert ip [10.10.10.0/24, !10.10.10.10] any -> ![8.8.8.8/24, 1.1.1.1] any (msg:"Test rule"; sid:12345678; rev:1;)'
>>> print(parsuricata.parse_rules(test_rule))
alert ip Tree(target_spec, [IPv4Interface('10.10.10.0/24'), Negated(value=IPv4Address('10.10.10.10'))]) any -> !Tree(target_spec, [IPv4Interface('8.8.8.8/24'), IPv4Address('1.1.1.1')]) any ( \
  msg: Test rule; \
  sid: 12345678; \
  rev: 1; \
)

I suppose I'd expect the string output to more accurately reflect the original rule.

Appreciate any help you can provide, and also appreciate the work you put into this library (it is proving to be very helpful).

Thanks

theY4Kman commented 3 years ago

Oof, that's embarrassing! Good catch! (And extra impressive you figured out the lark grammar / transformer in just a few days to be able to fix it yourself :100: )