Aristotle Documentation

Summary

Aristotle is a simple yet powerful Python program that enables the filtering and manipulating of Suricata and Snort rulesets based on explicit and induced metadata for each rule. It can be thought of as a “Swiss Army Knife” to enable, disable, augment, curate, and tune rulesets so they can be optimized for particular environments, resulting in enhanced alert outputs and a reduction in false positives. Aristotle can be run as a standalone script or utilized as a module.

Contents:

• Application Overview
• Background
• Metadata Key-Value Pairs
• Setup
• Usage
  • Example Files
  • Example Usage
  • Statistics
  • Classtype
  • Filename
  • Disabled Rules
  • Normalize
  • Enhance
    • Detection Direction
  • Modify Metadata
  • Post Filter Modification
• Boolean Filter Strings
  • Matching on the msg Field
  • Matching on the raw rule
  • Example Filter Strings
• Post Filter Modification (“PFMod”)
  • Overview
  • PFMod YAML Format
    • PFMod Actions
  • Example PFMod YAML Files
• Disabled/Commented Rules
  • Identification
  • Input
  • Output
• Aristotle as a Module
  • Ruleset
    • Ruleset.add_metadata()
    • Ruleset.cve_compare()
    • Ruleset.delete_metadata()
    • Ruleset.evaluate()
    • Ruleset.filter_ruleset()
    • Ruleset.get_all_sids()
    • Ruleset.get_disabled_sids()
    • Ruleset.get_enabled_sids()
    • Ruleset.get_sids()
    • Ruleset.get_stats()
    • Ruleset.normalize_better()
    • Ruleset.output_rules()
    • Ruleset.parse_rules()
    • Ruleset.print_header()
    • Ruleset.print_ruleset_summary()
    • Ruleset.print_stats()
    • Ruleset.reduce_ipval()
    • Ruleset.set_metadata_filter()
• License
• Authors