def test_scratch(self): rule_string = """alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)""" rule = idstools.rule.parse(rule_string) self.assertEquals(rule_string, str(rule)) options = [] for option in rule["options"]: if option["value"] is None: options.append(option["name"]) else: options.append("%s:%s" % (option["name"], option["value"])) reassembled = "%s (%s)" % (rule["header"], rule.rebuild_options()) print("") print("%s" % rule_string) print("%s" % reassembled) self.assertEquals(rule_string, reassembled)