def test_parse_rule_with_two_metadata(): rule = parse_rule( 'alert tcp any any -> any any (msg:"Message"; metadata:former_category TROJAN; ' 'sid:1; rev:1; metadata:malware_family Crypton, malware_family Nemesis;)' ) metadata_opts = [opt for opt in rule.options if opt.name == "metadata"] assert len(metadata_opts) == 2
def test_add_option_with_index(): rule = parse_rule('alert http any any -> any any (msg:"Message";sid:1;)') rule.add_option("http_uri", index=1) assert str( rule ) == 'alert http any any -> any any (msg:"Message"; http_uri; sid:1;)' assert rule.options[1] == Option("http_uri")
def test_add_option(): rule = parse_rule('alert http any any -> any any (msg:"Message";sid:1;)') rule.add_option("http_uri") assert str( rule ) == 'alert http any any -> any any (msg:"Message"; sid:1; http_uri;)' assert rule.options[2] == Option("http_uri")
def test_parse_rule_with_list(): rule = 'alert http any any -> [1.1.1.1, 1.1.1.2] any (sid:1; rev:1; http_uri;)' parsed_rule = parse_rule(rule) assert parsed_rule assert parsed_rule.enabled assert parsed_rule.action == "alert" assert parsed_rule.header == "http any any -> [1.1.1.1, 1.1.1.2] any"
def test_change_classtype(): rule = parse_rule( 'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; ' 'metadata:k v;)') assert rule.classtype == 'trojan-activity' rule.pop_option("classtype") rule.add_option("classtype", "backdoor") assert rule.classtype == "backdoor"
def rule_filter(all_lines, mode='released'): after_filter = [] for line in all_lines: rule = parse_rule(line) if line[0] != '#' and rule.classtype == 'protocol-command-decode': line = '# ' + line after_filter.append(line) return after_filter
def test_pop_option(): rule = parse_rule( 'drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick ' 'in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; ' 'content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emerging' 'threats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2; gid:1;)' ) assert rule rule.pop_option("pcre") assert len(rule.options) == 9 assert str(rule) == 'drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick ' \ 'in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; ' \ 'content:”NICK “; reference:url,doc.emergingthreats.net/2008124; ' \ 'classtype:trojan-activity; sid:2008124; rev:2; gid:1;)'
def parse_a_rule(line): rule = parse_rule(line) if rule: if rule.enabled == True: the_rule = {} the_rule['sid'] = rule.sid the_rule['gid'] = rule._gid the_rule['rev'] = rule.rev the_rule['action'] = rule.action the_rule['classtype'] = rule.classtype the_rule['msg'] = rule.msg the_rule['header'] = rule.header the_rule['metadata'] = parse_list_value(rule.metadata) the_rule['options'] = parse_list_value(rule.options) return the_rule return None
def test_parse_rule(): rule = 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ' \ '(msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June ' \ '19 2012 exe or zip"; flow:established,to_server; content:"setup."; ' \ 'fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; ' \ 'flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?' \ 'setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; ' \ 'reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; ' \ 'classtype:trojan-activity; sid: 2014929; rev: 1;)' parsed_rule = parse_rule(rule) assert parsed_rule.enabled is True assert parsed_rule.action == "alert" assert parsed_rule.header == "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" assert parsed_rule.sid == 2014929 assert parsed_rule.rev == 1 assert parsed_rule.msg == 'ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip' assert len(parsed_rule.options) == 16
def test_rule_data_repr(): rule = parse_rule( 'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; ' 'metadata:k v;)') assert rule.to_dict() == { "enabled": True, "action": "alert", "header": "tcp any any -> any any", "options": [{ "name": "msg", "value": '"Message"' }, { "name": "classtype", "value": "trojan-activity" }, { "name": "metadata", "value": ["k v"] }] }
def test_parse_something(): rule = parse_rule('# This is suricata rule') assert rule is None
def test_parse_rule_with_wrong_action(): rule = parse_rule('dig tcp any any - any any (sid:1;)') assert rule is None
def test_parse_rule_with_broken_options(): rule = 'alert tcp any any -> any any (sid:1)' with pytest.raises(RuleParseException): parse_rule(rule)
def test_turn_off_rule(): rule = parse_rule('alert tcp any any -> any any (sid: 1;)') assert rule.enabled rule.enabled = False assert not rule.enabled
def test_parse_commented_and_space_rule(): rule = '## #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Text";)' parsed_rule = parse_rule(rule) assert parsed_rule.enabled is False assert parsed_rule.raw == 'alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Text";)'
def test_parse_double_commented_rule(): rule = '## alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)' parsed_rule = parse_rule(rule) assert parsed_rule.enabled is False assert parsed_rule.raw == 'alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)'
def test_parse_disabled_rule(): rule = '# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)' parsed_rule = parse_rule(rule) assert parsed_rule.enabled is False
def test_get_option(): rule = parse_rule( 'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; ' 'metadata:k v;)') options = rule.get_option("msg") assert options == [Option("msg", '"Message"')]
def test_parse_rule_with_semicolon_in_msg(): rule = parse_rule('alert tcp any any -> any any (msg:"Message\\;text";)') assert rule.msg == 'Message\\;text'
def test_parse_rule_with_colon_in_options(): rule = parse_rule('alert tcp any any -> any any (msg:"Message: text";)') assert rule assert rule.msg == 'Message: text'
def test_parse_rule_with_empty_metadata(): with pytest.raises(RuleParseException): parse_rule('alert tcp any any -> any any (sid:1; metadata;)')
def test_parse_rule_like_string(): assert parse_rule("# I am Senate (c)") is None assert parse_rule(" I am Senate (c)") is None assert parse_rule("You (Senate)") is None assert parse_rule("#()") is None
def test_rule_repr(): rule = parse_rule('alert http any any -> any any (sid: 1; http_uri;)') rule.enabled = False assert str(rule) == '# alert http any any -> any any (sid: 1; http_uri;)'