def _alert(ctx):
    cnt = 0
    fw = context.search("FIREWALL INFOS")

    for idmef in ctx.candidates:
        source = idmef.get("alert.source(0).node.address(0).address")
        target = idmef.get("alert.target(0).node.address(0).address")
        dport = str(idmef.get("alert.target(0).service.port", 0))

        if target not in fw._protected_hosts:
            continue

        if (source + dport) in fw._protected_hosts[target][1]:
            continue

        cnt += 1
        ctx.addAlertReference(idmef)

    if cnt > 0:
        ctx.set("alert.classification.text", "Events hit target")
        ctx.set("alert.assessment.impact.severity", "medium")
        ctx.set(
            "alert.assessment.impact.description",
            "The target are known to be protected by a Firewall device, but a set of event have not been dropped"
        )
        ctx.set("alert.correlation_alert.name", "No firewall block observed")
        ctx.alert()

    ctx.destroy()
def _alert(ctx):
        cnt = 0
        fw = context.search("FIREWALL INFOS")

        for idmef in ctx.candidates:
                source = idmef.get("alert.source(0).node.address(0).address")
                target = idmef.get("alert.target(0).node.address(0).address")
                dport = str(idmef.get("alert.target(0).service.port", 0))

                if not target in fw._protected_hosts:
                        continue

                if (source + dport) in fw._protected_hosts[target][1]:
                        continue

                cnt += 1
                ctx.addAlertReference(idmef)

        if cnt > 0:
                ctx.set("alert.classification.text", "Events hit target")
                ctx.set("alert.assessment.impact.severity", "medium")
                ctx.set("alert.assessment.impact.description", "The target are known to be protected by a Firewall device, but a set of event have not been dropped")
                ctx.set("alert.correlation_alert.name", "No firewall block observed")
                ctx.alert()

        ctx.destroy()
    def run(self, idmef):
        ctxt = idmef.get("alert.classification.text")
        if not ctxt:
            return

        # Create context for classification combined with all the target.
        tlist = {}
        for target in idmef.get("alert.target(*).node.address(*).address"):
            ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300},
                                  overwrite=False,
                                  idmef=idmef,
                                  ruleid=self.name)
            if ctx.getUpdateCount() == 0:
                ctx._target_list = {}

            tlist[target] = True

        for source in idmef.get("alert.source(*).node.address(*).address"):
            # We are trying to see whether a previous target is now attacking other hosts
            # thus, we check whether a context exist with this classification combined to
            # this source.
            ctx = context.search(("WORM HOST", ctxt, source))
            if not ctx:
                continue

            plen = len(ctx._target_list)
            ctx._target_list.update(tlist)

            nlen = len(ctx._target_list)
            if nlen > plen:
                ctx.update(idmef=idmef)

            if nlen >= self.__repeat_target:
                ctx.set("alert.classification.text", "Possible Worm Activity")
                ctx.set(
                    "alert.correlation_alert.name",
                    "Source host is repeating actions taken against it recently"
                )
                ctx.set("alert.assessment.impact.severity", "high")
                ctx.set(
                    "alert.assessment.impact.description", source +
                    " has repeated actions taken against it recently at least %d times. It may have been "
                    "infected with a worm." % self.__repeat_target)
                ctx.alert()
                ctx.destroy()
    def run(self, idmef):
        ctxt = idmef.get("alert.classification.text")
        if not ctxt:
            return

        # Create context for classification combined with all the target.
        tlist = {}
        for target in idmef.get("alert.target(*).node.address(*).address"):
            ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300}, overwrite=False, idmef=idmef)
            if ctx.getUpdateCount() == 0:
                ctx._target_list = {}

            tlist[target] = True

        for source in idmef.get("alert.source(*).node.address(*).address"):
            # We are trying to see whether a previous target is now attacking other hosts
            # thus, we check whether a context exist with this classification combined to
            # this source.
            ctx = context.search(("WORM HOST", ctxt, source))
            if not ctx:
                continue

            plen = len(ctx._target_list)
            ctx._target_list.update(tlist)

            nlen = len(ctx._target_list)
            if nlen > plen:
                ctx.update(idmef=idmef)

            if nlen >= self.__repeat_target:
                ctx.set("alert.classification.text", "Possible Worm Activity")
                ctx.set("alert.correlation_alert.name", "Source host is repeating actions taken against it recently")
                ctx.set("alert.assessment.impact.severity", "high")
                ctx.set(
                    "alert.assessment.impact.description",
                    source
                    + " has repeated actions taken against it recently at least %d times. It may have been infected with a worm."
                    % (self.__repeat_target),
                )
                ctx.alert()
                ctx.destroy()