gonids is a library to parse IDS rules for engines like Snort and Suricata.

Installation

$ go get github.com/google/gonids

Quick Start

Add this import line to the file you’re working in:

import "github.com/google/gonids"

To parse a rule:

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
  // Handle parse error
}
// Do something with your rule.
switch r.Action {
case "alert":
  // This is an 'alert' rule.
case "drop":
  // This is a 'drop' rule.
case "pass":
  // This is a 'pass' rule.
default:
  // I have no idea what this would be. =)
}

To create a rule a DNS rule (using dns_query sticky buffer) and print it:

r := gonids.Rule{
    Action:   "alert",
    Protocol: "dns",
    Source: Network{
        Nets:  []string{"any"},
        Ports: []string{"any"},
    },
    Destination: Network{
        Nets:  []string{"any"},
        Ports: []string{"any"},
    },
    SID:         1234,
    Revision:    1,
}

badDomain := "c2.evil.com"
dnsRule.Description = fmt.Sprintf("DNS query for %s", badDomain)

sb, _ := gonids.StickyBuffer("dns_query")
c := &gonids.Content{
            DataPosition: sb,
            Pattern:      []byte(badDomain),
            Options: []*gonids.ContentOption{
                {"nocase", ""},
            },
        }
}

fmt.Println(r)

To optimize a Snort HTTP rule for Suricata:

rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello.php"; http_uri; classtype:trojan-activity; sid:1; rev:1;)`
r, err := gonids.ParseRule(rule)
if err != nil {
  // Handle parse error
}
r.OptimizeHTTP()

Miscellaneous

This is not an official Google product.