The idstools rule parsing can parse individual rule strings as well as multiple rules from a file or file like objects.
The parsing functions will return one, or a list of Rule objects that present the rule as a dictionary.
.. autoclass:: idstools.rule.Rule :noindex:
Note
Parsed rules are primarily read only, with the exception of toggling the enabled state of the rule, modification is not really supported.
.. automethod:: idstools.rule.parse :noindex:
.. automethod:: idstools.rule.parse_fileobj :noindex:
.. automethod:: idstools.rule.parse_file :noindex:
The string representation of the object will print the full rule respecting the enabled option of the rule.
For example:
>>> idstools.rule.parse('alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)')
>>> rule = idstools.rule.parse('alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)')
>>> print(rule)
alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)
>>> rule["enabled"] = False
>>> print(rule)
# alert ip any any -> any any (msg:"TEST MESSAGE"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)
A brief description of the rule can be printed with :meth:`idstools.rule.Rule.brief` or a string representing the rule ID can be printed with :meth:`idstools.rule.Rule.idstr`.
The :class:`idstools.rule.FlowbitResolver` is able to resolve the flowbits for a set of rules presented as a dictionary.