def test_02_exists(self): filter1 = {'timestamp': { '$exists': True } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'timestamp': { '$exists': False } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1)
def test_01_simple(self): filter1 = {'connector': 'cengine'} match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'connector': 'cengidddddne'} match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1)
def test_07_all(self): filter1 = { 'connector': { '$all': [ 'cengine' ] } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$all': [ 'cengine', 'ccengine' ] } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1)
def test_05_in_nin(self): filter1 = {'timestamp': { '$in': [ 0, 5, 6, 1378713357 ] } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'timestamp': { '$nin': [ 0, 5, 6 ] } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1)
def test_04_gt_gte(self): filter1 = {'timestamp': { '$gt': 1378713357 } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1) filter1 = {'timestamp': { '$gte': 1378713357 } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'timestamp': { '$gt': 137871335 } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1)
def test_03_eq(self): filter1 = {'connector': { '$eq': 'cengine' } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'connector': { '$eq': 'cenginessssss' } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1) filter1 = {'timestamp': { '$eq': 1378713357 } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1)
def test_08_regex(self): filter1 = { 'connector': { '$regex': 'c.ngInE' } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$regex': 'c.ngInE', '$options': 'i' } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$regex': 'c..ngine', '$options': 'i' } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1)
def match(self, event): """Does event match this selector ?""" # is event in always include list ? if self.include_ids and len(self.include_ids) and event.get('_id',False) in self.include_ids: return True # is event always black listed ? if self.exclude_ids and len(self.exclude_ids) and event.get('_id','') in self.exclude_ids: return False # is event matching selector filter ? if not self.mfilter: #mfilter is not set properly, then event shall match this invalid rule return True return cmfilter.check(self.mfilter, event)
def match(self, event): """Does event match this selector ?""" # is event in always include list ? if self.include_ids and len(self.include_ids) and event.get( '_id', False) in self.include_ids: return True # is event always black listed ? if self.exclude_ids and len(self.exclude_ids) and event.get( '_id', '') in self.exclude_ids: return False # is event matching selector filter ? if not self.mfilter: #mfilter is not set properly, then event shall match this invalid rule return True return cmfilter.check(self.mfilter, event)
def work(self, event, *xargs, **kwargs): event_str = str(event) default_action = self.configuration.get('default_action', 'pass') #When list configuration then check black and white lists depending on json configuration for filterItem in self.configuration.get('rules', []): action = filterItem.get('action') name = filterItem.get('name', 'no_name') # Try filter rules on current event if cmfilter.check(filterItem['mfilter'], event): if action == 'pass': self.logger.debug("Event passed by rule '%s'" % name) self.pass_event_count += 1 return event elif action == 'drop': self.logger.debug("Event dropped by rule '%s'" % name) self.drop_event_count += 1 return DROP else: self.logger.warning("Unknown action '%s'" % action) # No rules matched if default_action == 'drop': self.logger.debug("Event '%s' dropped by default action" % (event_str)) self.drop_event_count += 1 return DROP self.logger.debug("Event '%s' passed by default action" % (event_str)) self.pass_event_count += 1 return event
def test_06_complex(self): filter1 = {'timestamp': { '$gt': 0, '$lt': 2378713357 } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { '$and': [ {'timestamp': {'$gt': 0} } , {'timestamp': {'$lt': 2378713357} }] } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$eq': 'cengine' }, 'timestamp': { '$gt': 137871335 }} match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$not': { '$eq': 'cccenngine' } } } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { 'connector': { '$not': { '$eq': 'cengine' } } } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1) filter1 = { '$nor': [ { 'connector': { '$eq': 'ccengine' } }, {'connector': { '$eq': 'cccengine' } } ] } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = { '$nor': [ { 'connector': { '$eq': 'cengine' } }, {'connector': { '$eq': 'cccengine' } } ] } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1) filter1 = {'connector': 'cengine', 'event_type': 'check'} match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'$and': [ {'connector': 'cengine'}, {'event_type': 'check'}, {'event_type': 'check'} ] } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'$or': [ {'connector': 'cenginddddde'}, {'event_type': 'check'}, {'event_type': 'checkkkkk'} ] } match = cmfilter.check(filter1, event) self.assertTrue(match, msg='Filter: %s' % filter1) filter1 = {'$or': [ { '$and': [ {'connector': 'cenginddddde'}, {'event_type': 'check'} ] }, {'event_type': 'checkkkkk'} ] } match = cmfilter.check(filter1, event) self.assertFalse(match, msg='Filter: %s' % filter1)