search

theY4Kman / parsuricata

Parse Suricata rules
https://pypi.org/project/parsuricata/
MIT License
13 stars 3 forks source link

Error parsing individual port ranges #9

Closed jgrunzweig closed 2 years ago

jgrunzweig commented 3 years ago

Reference: https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#ports-source-and-destination

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 62, in get_action
    return states[state][token.type]
KeyError: 'COLON'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/jgrunzweig/work/tools/git/parsuricata/parsuricata/__init__.py", line 9, in parse_rules
    return parser.parse(source)
  File "/usr/local/lib/python3.8/site-packages/lark/lark.py", line 311, in parse
    return self.parser.parse(text, start=start)
  File "/usr/local/lib/python3.8/site-packages/lark/parser_frontends.py", line 89, in parse
    return self._parse(token_stream, start, *[sps] if sps is not NotImplemented else [])
  File "/usr/local/lib/python3.8/site-packages/lark/parser_frontends.py", line 54, in _parse
    return self.parser.parse(input, start, *args)
  File "/usr/local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 36, in parse
    return self.parser.parse(*args)
  File "/usr/local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 86, in parse
    action, arg = get_action(token)
  File "/usr/local/lib/python3.8/site-packages/lark/parsers/lalr_parser.py", line 65, in get_action
    raise UnexpectedToken(token, expected, state=state)
lark.exceptions.UnexpectedToken: Unexpected token Token(COLON, ':') at line 1, column 18.
Expected one of: 
    * COMMA
    * RSQB
    * __ANON_6
    * LPAR
    * __ANON_7

Issue looks to be that, while port ranges are supported in groupings, they're not going to work by themselves. Should have a fix that'll tackle it. Going to submit a pull request shortly.

theY4Kman commented 3 years ago

Oh, derp, yeah, looks like my local Suricata 5.0.5 validates all these rules

alert ip any 80:100 -> any any ( msg:"start/end outside group"; sid: 1; )
alert ip any 80: -> any any ( msg:"start outside group"; sid: 2; )
alert ip any :100 -> any any ( msg:"end outside group"; sid: 3; )

alert ip any [80:100] -> any any ( msg:"start/end in group"; sid: 4; )
alert ip any [80:] -> any any ( msg:"start in group"; sid: 5; )
alert ip any [:100] -> any any ( msg:"end in group"; sid: 6; )

Thanks for catching that!