suricata-sid-db
v1.0.2
Published
Extracts from a set of suricata rules the sid and refs into a JSON file
Downloads
13,522
Readme
suricata-sid-database
Creates a Suricata JSON hash object from the references in your local Suricata rules. You can use this repo or the curl/jq commands below to query and get additional information about Suricata sid's from alerts you might have by using the hyperlinks (references) from Suricata that this DB provides.
How to use this DB
Install jq
Optionally, clone or download the contents of the JSON from data/suricata-rules-ref.json
Then, if you have a Suricata sid such as 2001219
, run it against the JSON like so
curl https://raw.githubusercontent.com/FrankHassanabad/suricata-sid-database/master/data/suricata-rules-ref.json | jq '."2001219"'
or if you have the json downloaded locally, it would be like this
jq '."2001219"' data/suricata-rules-ref.json
Your response should be several hyper links like this:
[
'http://en.wikipedia.org/wiki/Brute_force_attack',
'http://doc.emergingthreats.net/2001219',
];
or if nothing was found a null
or if a rule was found but nothing about references a
empty array like so
[]
How to build a new database based on rules you have
Ensure you have Suricata installed, then run
npm install
npm start
Look in your newly created data/suricata-rules-ref.json
If you have a different location for rules, then modify src/builddb.ts at these lines:
const REFERENCE_CONF = '/usr/local/etc/suricata/rules/reference.config';
const RULES_DIR = '/usr/local/etc/suricata/rules';