py-idstools is a collection of Python libraries for working with IDS systems (typically Snort and Suricata).
- Snort/Suricata unified2 log file reading.
- Continuous unified2 directory spool reading with bookmarking (a'la Barnyard2).
- Parser and mapping for classification.config.
- Parser and mapping for gen-msg.map and sid-msg.map.
- Useful utility programs.
- u2json - Convert unified2 files or spool directories to JSON.
- gensidmsgmap - Easily create a sid-msg.map file from rule files, directories or a rule tarball.
- Python 2.6 or 2.7; Python 3.3 works but is not as well tested.
- Currently only tested on Linux.
The following code snippet will "tail" a unified log directory aggregating records into events:
from idstools import unified2
reader = unified2.SpoolEventReader("/var/log/snort",
"unified2.log", follow=True)
for event in reader:
print(event)
Further documentation is located at http://idstools.readthedocs.org.
- Fix issue loading signature map files (GitHub issue #2).
- Fix IPv6 address unpacking.
- In u2json, if the protocol number can't be converted to a string, encode the number as a string for a consistent JSON data type.
- New tool, u2json to convert unified2 files to JSON.
- Support the new appid unified2 event types introduced in Snort 2.9.7.0.alpha.