google/gonids

gonids is a library to parse IDS rules for engines like Snort and Suricata. ### Installation $ go get github.com/google/gonids ### Quick Start Add this import line to the file you're working in: import "github.com/google/gonids" To parse a rule: rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)` r, err := gonids.ParseRule(rule) if err != nil { // Handle parse error } // Do something with your rule. switch r.Action { case "alert": // This is an 'alert' rule. case "drop": // This is a 'drop' rule. case "pass": // This is a 'pass' rule. default: // I have no idea what this would be. =) } To create a rule a DNS rule (using dns_query sticky buffer) and print it: r := gonids.Rule{ Action: "alert", Protocol: "dns", Source: Network{ Nets: []string{"any"}, Ports: []string{"any"}, }, Destination: Network{ Nets: []string{"any"}, Ports: []string{"any"}, }, SID: 1234, Revision: 1, } badDomain := "c2.evil.com" dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain) sb, _ := gonids.StickyBuffer("dns_query") c := &gonids.Content{ DataPosition: sb, Pattern: []byte(badDomain), Options: []*gonids.ContentOption{ {"nocase", ""}, }, } } fmt.Println(r) To optimize a Snort HTTP rule for Suricata: rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)` r, err := gonids.ParseRule(rule) if err != nil { // Handle parse error } r.OptimizeHTTP() ### Miscellaneous This is not an official Google product.

标签：EVTX分析