def __init__(self, context):
''' Constructor '''
trace_id = (0, 'Analyze')
self.description = ''
self.rules = []
self.new_alerts = []
self.trace_id = trace_id
self.ruleset = context
self.error_handlers = GearErrorHandlers(context)
self.always_gets_event = []
self.gets_event_by_key = defaultdict(set)
return
class GearAnalyzeRules(object):
''' The rules that do the analysis of the events '''
def __init__(self, context):
''' Constructor '''
trace_id = (0, 'Analyze')
self.description = ''
self.rules = []
self.new_alerts = []
self.trace_id = trace_id
self.ruleset = context
self.error_handlers = GearErrorHandlers(context)
self.always_gets_event = []
self.gets_event_by_key = defaultdict(set)
return
def __str__(self):
outstr = ''
for rule in self.rules:
outstr += str(rule)
return outstr
def read_from_xml(self, xml_element, trace_dict):
'''Add event info defined in an XML events element'''
self.trace_id = trace_dict[xml_element]
for rule_entry in xml_element:
entry_name = rule_entry.tag.split('}')[-1]
if entry_name == 'rule':
self.rules.append(GearRule(rule_entry, trace_dict, self.ruleset))
elif entry_name == 'on_error':
self.error_handlers.read_from_xml_element(rule_entry, trace_dict)
elif entry_name == 'description':
self.description = rule_entry.text
else:
self.parse_error(self.trace_id[0], 'unexpected element {0}'.format(entry_name))
return
def resolve_and_validate(self):
'''Resolve and validate the rules using the gear control info'''
self.error_handlers.resolve_and_validate()
if len(self.rules) == 0:
self.ruleset.parse_error(self.trace_id[0], 'analyze element must contain at least one \'rule\' element')
for rule in self.rules:
rule.resolve_and_validate()
event_checked_info = rule.get_checked_event_info()
if event_checked_info is None:
self.always_gets_event.append(rule)
else:
for ec in event_checked_info:
self.gets_event_by_key[ec].add(rule)
if self.ruleset[GRSE_ANALYZE].error_handlers.check_locations() == True:
# Get the locations to check
used_locs = set()
for rule in self.rules:
t_used_locs = rule.get_used_locations()
if t_used_locs is not None:
used_locs.update(t_used_locs)
self.chk_rpt_loc = False
self.chk_ext_data = set()
for used_loc in used_locs:
gear_var_parts = _parse_gear_variable(used_loc.strip()).split('.')
if gear_var_parts[1] == 'ext':
self.chk_ext_data.add(gear_var_parts[2])
elif gear_var_parts[1] == 'rpt_loc':
self.chk_rpt_loc = True
elif gear_var_parts[1] == 'src_loc':
pass # assuming this one
else:
get_logger().debug('Unexpected value in location: {0}'.format(used_loc))
if len(self.chk_ext_data) == 0:
self.chk_ext_data = None
self.prime = self.prime_CHECK_LOC
self.analyze_event = self.analyze_event_CHECK_LOC
else:
self.prime = self.prime_NO_CHECK
self.analyze_event = self.analyze_event_NO_CHECK
#self.print_cross_ref()
#print str(self.gets_event_by_key)
return
def _check_loc_ok(self, event):
''' Check the location '''
if event.src_loc.is_unprocessable() == True:
self.error_handlers.location_error(event, event.src_loc)
return False
if self.chk_rpt_loc == True \
and event.rpt_loc is not None \
and event.rpt_loc.is_unprocessable() == True:
self.error_handlers.location_error(event, event.rpt_loc)
return False
if self.chk_ext_data is not None:
for ext_var in self.chk_ext_data:
if event.raw_data is not None \
and ext_var in event.raw_data \
and event.raw_data[ext_var] is not None \
and event.raw_data[ext_var].is_unprocessable() == True:
self.error_handlers.location_error(event, event.raw_data[ext_var])
return False
return True
def prime_CHECK_LOC(self, event, pool, gear_ctl):
if self._check_loc_ok(event) == True:
self.prime_NO_CHECK(event, pool, gear_ctl)
return
def analyze_event_CHECK_LOC(self, event, pool, gear_ctl):
if self._check_loc_ok(event) == True:
self.analyze_event_NO_CHECK(event, pool, gear_ctl)
return
def analyze_event_NO_CHECK(self, event, pool, gear_ctl):
''' Fire the events '''
get_logger().debug('Accumulating event {0}'.format(str(event)))
# for rule in self.rules:
# rule.accumulate(event)
for rule in self.always_gets_event:
rule.accumulate(event)
for rule in self.gets_event_by_key[(event.src_comp, event.event_id)]:
rule.accumulate(event)
return
def prime_NO_CHECK(self, event, pool, gear_ctl):
''' Prime the condition with the event '''
get_logger().debug('Priming rule group with event {0}'.format(str(event)))
# for rule in self.rules:
# rule.prime(event)
for rule in self.always_gets_event:
rule.prime(event)
for rule in self.gets_event_by_key[(event.src_comp, event.event_id)]:
rule.prime(event)
return
def get_new_alerts(self):
''' Get any new alerts created by the actions '''
ret_alerts = list(self.new_alerts)
self.new_alerts = []
return ret_alerts
def reset(self):
''' reset the rules '''
get_logger().debug('Reset rule group')
for rule in self.rules:
rule.reset()
return
def get_cross_ref(self):
''' get cross reference information '''
condition_cref = defaultdict(list)
suppression_cref = defaultdict(list)
alert_cref = defaultdict(list)
for rule in self.rules:
conditions, suppressions, alerts = rule.get_cross_ref()
line_num = rule.trace_id[0]
for condition in conditions:
condition_cref[condition].append(line_num)
for suppression in suppressions:
suppression_cref[suppression].append(line_num)
for alert in alerts:
alert_cref[alert].append(line_num)
return {'condition': condition_cref, 'suppression': suppression_cref, 'create alert': alert_cref}
def print_cross_ref(self):
''' print the cross reference '''
cref_dict = self.get_cross_ref()
cref_keys = cref_dict.keys()
cref_keys.sort()
for cref_key in cref_keys:
print '\nCross reference where id is referenced by {0} (list of rule start line numbers)'.format(cref_key)
entry_keys = cref_dict[cref_key].keys()
entry_keys.sort()
for entry_key in entry_keys:
print ' {0}: {1}'.format(str(entry_key), str(cref_dict[cref_key][entry_key]))
return
def close_pool(self, pool, gear_ctl):
''' Close pool processing '''
alerts = []
for rule in self.rules:
rule.execute_suppression_stage(pool, gear_ctl)
for rule in self.rules:
new_alerts = rule.execute_alert_stage(pool, gear_ctl)
if new_alerts is not None and len(new_alerts) != 0:
alerts.extend(new_alerts)
#print 'returning alerts ' + str(alerts)
return alerts
