in aristotle/aristotle.py [0:0]
def get_parser():
"""return parser for command line args"""
try:
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description="Filter Suricata and Snort rulesets based on metadata keyword values.",
epilog="""A filter string defines the desired outcome based on Boolean logic, and uses
the metadata key-value pairs as values in a (concrete) Boolean algebra.
The key-value pair specifications must be surrounded by double quotes.
Example:
python3 aristotle/aristotle.py -r examples/example.rules --summary -n
-f '(("priority high" AND "malware <ALL>") AND "created_at >= 2018-01-01")
AND NOT ("protocols smtp" OR "protocols pop" OR "protocols imap") OR "sid 80181444"'
""" + "\r\n"
)
parser.add_argument("-r", "--rules", "--ruleset",
action="store",
dest="rules",
required=True,
help="path to a rules file, a directory containing '.rules' file(s), or string containing the ruleset")
parser.add_argument("-f", "--filter",
action="store",
dest="metadata_filter",
required=False,
default=None,
help="Boolean filter string or path to a file containing it")
parser.add_argument("--summary",
action="store",
dest="display_max",
required=False,
type=int,
nargs='?',
default=-1,
help="output a summary of the filtered ruleset to stdout, limited \
to DISPLAY_MAX number of lines (or 16 if no value given); \
if the option to output to a file is set, the full, filtered ruleset \
will still be written.")
parser.add_argument("-o", "--output",
action="store",
dest="outfile",
required=False,
default="<stdout>",
help="output file to write filtered ruleset to")
parser.add_argument("-s", "--stats",
nargs='*',
action="store",
dest="stats",
required=False,
default=None,
help="display ruleset statistics about specified key(s). \
If no key(s) supplied, then summary statistics for \
all keys will be displayed.")
parser.add_argument("-i", "--enable-all-rules", "--enable-all", "--include-disabled",
action="store_true",
dest="enable_all_rules",
required=False,
default=False,
help="enable all valid rules, including those disabled/commented out in the given rules file(s), when applying the filter")
parser.add_argument("-c", "--output-disabled-rules",
action="store_true",
dest="output_disabled_rules",
required=False,
default=False,
help="include disabled rules in the output as commented out lines.")
parser.add_argument("-n", "--normalize", "--better", "--iso8601",
action="store_true",
dest="normalize",
required=False,
default=False,
help="try to convert date, MITRE ATT&CK, and cve related metadata values to conform to the \
BETTER schema for filtering and statistics. Dates are normalized to the \
format YYYY-MM-DD and CVEs to YYYY-<num>. Also, 'sid' is removed from the metadata.")
parser.add_argument("-e", "--enhance",
action="store_true",
dest="enhance",
required=False,
default=False,
help="enhance metadata by adding additional key-value pairs based on the rules.")
parser.add_argument("-t", "--ignore-classtype", "--ignore-classtype-keyword",
action="store_true",
dest="ignore_classtype_keyword",
required=False,
default=False,
help="don't incorporate the 'classtype' keyword and value from the rule into the metadata structure for filtering and reporting.")
parser.add_argument("-g", "--ignore-filename",
action="store_true",
dest="ignore_filename",
required=False,
default=False,
help="don't incorporate the 'filename' keyword (filename of the rules file) into the metadata structure for filtering and reporting.")
parser.add_argument("-m", "--modify-metadata",
action="store_true",
dest="modify_metadata",
required=False,
default=False,
help="modify the rule metadata keyword value on output to contain the internally tracked and normalized metadata data.")
parser.add_argument("-p", "--pfmod", "--pfmod-file",
action="store",
dest="pfmod_file",
required=False,
default=None,
help="YAML file of directives to apply actions on post-filtered rules based on filter strings.")
parser.add_argument("-q", "--quiet", "--suppress_warnings",
action="store_true",
dest="suppress_warnings",
default=False,
required=False,
help="quiet; suppress warning logging")
parser.add_argument("-d", "--debug",
action="store_true",
dest="debug",
default=False,
required=False,
help="turn on debug logging")
return parser
except Exception as e:
print_error("Problem parsing command line args: {}".format(e), fatal=True)