Feature request: extract ruleset when parsing

[sevdog]

The Rule object has no ruleset attribute.

Examples:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)

is from ET ruleset

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

is from SNORT GPL

Usually the ruleset is the first word in the Rule.msg attribute, so it should not be difficult to extract. If someone does not use this convention it should be possible to opt-out this parsing function, maybe letting the parser get this value as an optional argument.

[jasonish]

I'm not to sure about this one. I don't like to make guesses or assumptions. Do you have an example use case in mind?

If using the parser as a library in your own tool, I think its easy enough to add something like this post-parsing, but I don't think its deterministic enough to bake in.