Automation: NIDS section added

automation/README.md

@@ -6,7 +6,13 @@ Automation functionality is designed to automatically generate signatures for in
 
 ### Automation URL
 
-The documentation will include a default MISP url (https://<misp url>/) in the examples. Don't forget to replace it with your MISP url.
+The documentation will include a default MISP url in the examples. Don't forget to replace it with your MISP url.
+
+Default MISP url in the documentation:
+
+~~~~
+https://<misp url>/
+~~~~
 
 ### Automation key
 
@@ -159,3 +165,58 @@ To export the attributes of all events that are of the type "domain", use the fo
 https://<misp url>/events/csv/download/false/false/false/false/domain
 ~~~~
 
+### NIDS rules export
+
+Automatic export of all network related attributes is available under the Snort or Suricata rule format. Only published events and attributes marked as IDS Signature are exported.
+
+You can configure your tools to automatically download the following file:
+
+~~~~
+https://<misp url>/events/nids/suricata/download
+https://<misp url>/events/nids/snort/download
+~~~~
+
+The full API syntax is as follows:
+
+~~~~
+https://<misp url>/events/nids/[format]/download/[eventid]/[frame]/[tags]/[from]/[to]/[last]
+~~~~
+
+<dl>
+<dt>format</dt>
+<dd>The export format, can be "suricata" or "snort"</dd>
+<dt>eventid</dt>
+<dd>Restrict the download to a single event</dd>
+<dt>frame</dt>
+<dd>Some commented out explanation framing the data. The reason to disable this would be if you would like to concatenate a list of exports from
+   various select events in order to avoid unnecessary duplication of the comments.</dd>
+<dt>tags</dt>
+<dd>To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag
+   commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will
+   automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:</dd>
+</dl>
+
+~~~~
+https://<misp url>/events/nids/snort/download/false/false/tag1&&tag2&&!tag3
+~~~~
+
+<dl>
+<dt>from</dt>
+<dd>Events with the date set to a date after the one specified in the from field (format: 2015-02-15)</dd>
+<dt>to</dt>
+<dd>Events with the date set to a date before the one specified in the to field (format: 2015-02-15)</dd>
+<dt>last</dt>
+<dd>Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 6d or 12h or 30m)</dd>
+</dl>
+
+The keywords false or null should be used for optional empty parameters in the URL.
+
+An example for a Suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:
+
+~~~~
+https://misppriv.circl.lu/events/nids/suricata/download/null/true/!tag1 
+~~~~
+
+Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export.
+
+