idstools.maps module¶
Provide mappings from ID’s to descriptions.
Includes mapping classes for event ID messages and classification information.
-
class
idstools.maps.
ClassificationMap
(fileobj=None)[source]¶ Bases:
object
ClassificationMap maps classification IDs and names to a dict object describing a classification.
Parameters: fileobj – (Optional) A file like object to load classifications from on initialization. The classification dicts stored in the map have the following fields:
- name (string)
- description (string)
- priority (int)
Example:
>>> from idstools import maps >>> classmap = maps.ClassificationMap() >>> classmap.load_from_file(open("tests/classification.config")) >>> classmap.get(3) {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'} >>> classmap.get_by_name("bad-unknown") {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'}
-
get
(class_id)[source]¶ Get a classification by ID.
Parameters: class_id – The classification ID to get. Returns: A dict describing the classification or None.
-
get_by_name
(name)[source]¶ Get a classification by name.
Parameters: name – The name of the classification Returns: A dict describing the classification or None.
-
class
idstools.maps.
SignatureMap
[source]¶ Bases:
object
SignatureMap maps signature IDs to a signature info dict.
The signature map can be build up from classification.config, gen-msg.map, and new and old-style sid-msg.map files.
The dict’s in the map will have at a minimum the following fields:
- gid (int)
- sid (int)
- msg (string)
- refs (list of strings)
Signatures loaded from a new style sid-msg.map file will also have rev, classification and priority fields.
Example:
>>> from idstools import maps >>> sigmap = maps.SignatureMap() >>> sigmap.load_generator_map(open("tests/gen-msg.map")) >>> sigmap.load_signature_map(open("tests/sid-msg-v2.map")) >>> print(sigmap.get(1, 2495)) {'classification': 'misc-attack', 'rev': 8, 'priority': 0, 'gid': 1, 'sid': 2495, 'msg': 'GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt', 'ref': ['bugtraq,8811', 'cve,2003-0813', 'nessus,12206', 'url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx']}
-
get
(generator_id, signature_id)[source]¶ Get signature info by generator_id and signature_id.
Parameters: - generator_id – The generator id of the signature to lookup.
- signature_id – The signature id of the signature to lookup.
For convenience, if the generator_id is 3 and the signature is not found, a second lookup will be done using a generator_id of 1.
-
load_generator_map
(fileobj)[source]¶ Load the generator message map (gen-msg.map) from a file-like object.