From 7a0b567e49ce5b0d38bb191b33421be7b5840482 Mon Sep 17 00:00:00 2001 From: Simeon Miteff Date: Fri, 2 Jun 2023 17:43:42 +1000 Subject: [PATCH 1/2] Add accessor function for classtype --- rule.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rule.go b/rule.go index affd4a6..32b6b24 100644 --- a/rule.go +++ b/rule.go @@ -53,6 +53,11 @@ func (r *Rule) Rev() int64 { return r.rev } +// ClassType rule class type - https://docs.suricata.io/en/latest/rules/meta.html#classtype +func (r *Rule) ClassType() string { + return r.classtype +} + // Header defines the protocol, IP addresses, ports and direction of the rule func (r *Rule) Header() string { return r.header From 27db07a47ad36755d14f08db88ec302ebca92817 Mon Sep 17 00:00:00 2001 From: Simeon Miteff Date: Tue, 2 Jan 2024 12:31:57 +1000 Subject: [PATCH 2/2] Parse reference options int Rule.References[] --- option.go | 1 + reference.go | 23 +++++++++++++++++++++++ rule.go | 19 ++++++++++++++----- 3 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 reference.go diff --git a/option.go b/option.go index 6b9900d..8db7a7e 100644 --- a/option.go +++ b/option.go @@ -9,6 +9,7 @@ const ( OptMsg = "msg" OptRev = "rev" OptSid = "sid" + OptReference = "reference" ) // Option stores parsed option from rule - https://suricata.readthedocs.io/en/latest/rules/intro.html#rule-options diff --git a/reference.go b/reference.go new file mode 100644 index 0000000..60d2c2d --- /dev/null +++ b/reference.go @@ -0,0 +1,23 @@ +package suricataparser + +import ( + "errors" + "strings" +) + +type Reference struct { + Type string + Ref string +} + +// ParseReference from raw string +func ParseReference(reference string) (*Reference, error) { + if reference == "" { + return nil, errors.New("reference is never empty") + } + parts := strings.SplitN(reference, ",", 2) + if len(parts) != 2 { + return nil, errors.New("reference should be type,ref") + } + return &Reference{Type: parts[0], Ref: parts[1]}, nil +} diff --git a/rule.go b/rule.go index 32b6b24..f250c21 100644 --- a/rule.go +++ b/rule.go @@ -8,11 +8,12 @@ import ( // Rule stores parsed suricata rule - https://suricata.readthedocs.io/en/latest/rules/intro.html#rules-format type Rule struct { - Enabled bool - action string - header string - Options []*Option - Metadata *Metadata + Enabled bool + action string + header string + Options []*Option + Metadata *Metadata + References []*Reference sid int64 gid int64 @@ -108,6 +109,9 @@ func (r *Rule) fillFromOptions() { if opt.Name == OptMetadata { r.fillMetadata(opt.Value) } + if opt.Name == OptReference { + r.addReference(opt.Value) + } } } @@ -116,6 +120,11 @@ func (r *Rule) fillMetadata(rawMetadata string) { r.Metadata.Merge(*parsed) } +func (r *Rule) addReference(rawReference string) { + parsed, _ := ParseReference(rawReference) + r.References = append(r.References, parsed) +} + func NewRule(enabled bool, action, header, raw string, options []*Option) *Rule { rule := Rule{ Enabled: enabled,