suricata-sid-db v1.0.2
suricata-sid-database
Creates a Suricata JSON hash object from the references in your local Suricata rules. You can use this repo or the curl/jq commands below to query and get additional information about Suricata sid's from alerts you might have by using the hyperlinks (references) from Suricata that this DB provides.
How to use this DB
Install jq
Optionally, clone or download the contents of the JSON from data/suricata-rules-ref.json
Then, if you have a Suricata sid such as 2001219, run it against the JSON like so
curl https://raw.githubusercontent.com/FrankHassanabad/suricata-sid-database/master/data/suricata-rules-ref.json | jq '."2001219"'or if you have the json downloaded locally, it would be like this
jq '."2001219"' data/suricata-rules-ref.jsonYour response should be several hyper links like this:
[
  'http://en.wikipedia.org/wiki/Brute_force_attack',
  'http://doc.emergingthreats.net/2001219',
];or if nothing was found a null or if a rule was found but nothing about references a
empty array like so
[]How to build a new database based on rules you have
Ensure you have Suricata installed, then run
npm install
npm startLook in your newly created data/suricata-rules-ref.json
If you have a different location for rules, then modify src/builddb.ts at these lines:
const REFERENCE_CONF = '/usr/local/etc/suricata/rules/reference.config';
const RULES_DIR = '/usr/local/etc/suricata/rules';