GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → google → gonids

google / gonids

Licence: Apache-2.0 License
gonids is a library to parse IDS rules, with a focus primarily on Suricata rule compatibility. There is a discussion forum available that you can join on Google Groups: https://groups.google.com/forum/#!topic/gonids/

Programming Languages

go
31211 projects - #10 most used programming language

Labels

parsenetworksuricataidsnetwork-securitysecurity-tools

Projects that are alternatives of or similar to gonids

testmynids.org
A website and framework for testing NIDS detection
Stars: ✭ 55 (-60.71%)
Mutual labels:  suricata, network-security
Evebox
Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
Stars: ✭ 286 (+104.29%)
Mutual labels:  suricata, ids
docker-suricata
A Suricata Docker image.
Stars: ✭ 120 (-14.29%)
Mutual labels:  suricata, ids
Suricata Rules
Suricata IDS rules 用来检测红队渗透/恶意行为等,支持检测CobaltStrike/MSF/Empire/DNS隧道/Weevely/菜刀/冰蝎/挖矿/反弹shell/ICMP隧道等
Stars: ✭ 397 (+183.57%)
Mutual labels:  suricata, ids
Suricata Update
The tool for updating your Suricata rules.
Stars: ✭ 143 (+2.14%)
Mutual labels:  suricata, ids
Selks
A Suricata based IDS/IPS distro
Stars: ✭ 707 (+405%)
Mutual labels:  suricata, ids
Qnsm
QNSM is network security monitoring framework based on DPDK.
Stars: ✭ 334 (+138.57%)
Mutual labels:  suricata, network-security
Py Idstools
idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)
Stars: ✭ 205 (+46.43%)
Mutual labels:  suricata, ids
TheBriarPatch
An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS
Stars: ✭ 21 (-85%)
Mutual labels:  suricata, ids
vagrant-ids
An Ubuntu 16.04 build containing Suricata, PulledPork, Bro, and Splunk
Stars: ✭ 21 (-85%)
Mutual labels:  suricata
sjson-cpp
An Simplified JSON (SJSON) C++ reader and writer
Stars: ✭ 16 (-88.57%)
Mutual labels:  parse
NIDS-Intrusion-Detection
Simple Implementation of Network Intrusion Detection System. KddCup'99 Data set is used for this project. kdd_cup_10_percent is used for training test. correct set is used for test. PCA is used for dimension reduction. SVM and KNN supervised algorithms are the classification algorithms of project. Accuracy : %83.5 For SVM , %80 For KNN
Stars: ✭ 45 (-67.86%)
Mutual labels:  ids
exoffice
Library to parse common excel formats (xls, xlsx, csv)
Stars: ✭ 31 (-77.86%)
Mutual labels:  parse
network-pipeline
Network traffic data pipeline for real-time predictions and building datasets for deep neural networks
Stars: ✭ 36 (-74.29%)
Mutual labels:  network-security
erudite
A JavaScript equivalent to Literate CoffeeScript
Stars: ✭ 18 (-87.14%)
Mutual labels:  parse
ytnef
Yeraze's TNEF Stream Reader - for winmail.dat files
Stars: ✭ 28 (-80%)
Mutual labels:  parse
crawler CIA CREST
R-crawler for CIA website (CREST)
Stars: ✭ 15 (-89.29%)
Mutual labels:  parse
pdns-qof
Passive DNS Common Output Format
Stars: ✭ 30 (-78.57%)
Mutual labels:  network-security
Script.apex
Evaluate Javascript expressions in Apex
Stars: ✭ 18 (-87.14%)
Mutual labels:  parse
penetration testing
🎩 [penetration testing Book], Kali Magic, Cryptography, Hash Crack, Botnet, Rootkit, Malware, Spyware, Python, Go, C|EH.
Stars: ✭ 57 (-59.29%)
Mutual labels:  network-security
View All Similar Projects ➔

gonids is a library to parse IDS rules for engines like Snort and Suricata.

Installation

$ go get github.com/google/gonids

Quick Start

Add this import line to the file you're working in:

import "github.com/google/gonids"

To parse a rule:

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
  // Handle parse error
}
// Do something with your rule.
switch r.Action {
case "alert":
  // This is an 'alert' rule.
case "drop":
  // This is a 'drop' rule.
case "pass":
  // This is a 'pass' rule.
default:
  // I have no idea what this would be. =)
}

To create a rule a DNS rule (using dns_query sticky buffer) and print it:

r := gonids.Rule{
	Action:   "alert",
	Protocol: "dns",
	Source: Network{
		Nets:  []string{"any"},
		Ports: []string{"any"},
	},
	Destination: Network{
		Nets:  []string{"any"},
		Ports: []string{"any"},
	},
	SID:         1234,
	Revision:    1,
}

badDomain := "c2.evil.com"
dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain)

sb, _ := gonids.StickyBuffer("dns_query")
c := &gonids.Content{
			DataPosition: sb,
			Pattern:      []byte(badDomain),
			Options: []*gonids.ContentOption{
				{"nocase", ""},
			},
		}
}

fmt.Println(r)

To optimize a Snort HTTP rule for Suricata:

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
  // Handle parse error
}
r.OptimizeHTTP()

Miscellaneous

This is not an official Google product.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].