Skip to content

Commit

Permalink
Merge pull request #3 from simeonmiteff/add-reference
Browse files Browse the repository at this point in the history
Parse reference options int Rule.References[] and expose classtype
  • Loading branch information
m-chrome authored Jun 13, 2024
2 parents 9345579 + 27db07a commit 6bdb1a9
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 5 deletions.
1 change: 1 addition & 0 deletions option.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ const (
OptMsg = "msg"
OptRev = "rev"
OptSid = "sid"
OptReference = "reference"
)

// Option stores parsed option from rule - https://suricata.readthedocs.io/en/latest/rules/intro.html#rule-options
Expand Down
23 changes: 23 additions & 0 deletions reference.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package suricataparser

import (
"errors"
"strings"
)

type Reference struct {
Type string
Ref string
}

// ParseReference from raw string
func ParseReference(reference string) (*Reference, error) {
if reference == "" {
return nil, errors.New("reference is never empty")
}
parts := strings.SplitN(reference, ",", 2)
if len(parts) != 2 {
return nil, errors.New("reference should be type,ref")
}
return &Reference{Type: parts[0], Ref: parts[1]}, nil
}
24 changes: 19 additions & 5 deletions rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ import (

// Rule stores parsed suricata rule - https://suricata.readthedocs.io/en/latest/rules/intro.html#rules-format
type Rule struct {
Enabled bool
action string
header string
Options []*Option
Metadata *Metadata
Enabled bool
action string
header string
Options []*Option
Metadata *Metadata
References []*Reference

sid int64
gid int64
Expand Down Expand Up @@ -53,6 +54,11 @@ func (r *Rule) Rev() int64 {
return r.rev
}

// ClassType rule class type - https://docs.suricata.io/en/latest/rules/meta.html#classtype
func (r *Rule) ClassType() string {
return r.classtype
}

// Header defines the protocol, IP addresses, ports and direction of the rule
func (r *Rule) Header() string {
return r.header
Expand Down Expand Up @@ -103,6 +109,9 @@ func (r *Rule) fillFromOptions() {
if opt.Name == OptMetadata {
r.fillMetadata(opt.Value)
}
if opt.Name == OptReference {
r.addReference(opt.Value)
}
}
}

Expand All @@ -111,6 +120,11 @@ func (r *Rule) fillMetadata(rawMetadata string) {
r.Metadata.Merge(*parsed)
}

func (r *Rule) addReference(rawReference string) {
parsed, _ := ParseReference(rawReference)
r.References = append(r.References, parsed)
}

func NewRule(enabled bool, action, header, raw string, options []*Option) *Rule {
rule := Rule{
Enabled: enabled,
Expand Down

0 comments on commit 6bdb1a9

Please sign in to comment.