def process_rule(single_rule, rule_dict):
# Break a rule down in to sections
new_rule = Rule()
new_rule.rule_name = single_rule.split('{')[0].replace('rule ', '')
new_rule.rule_category = rule_dict['rule_category']
new_rule.rule_source = rule_dict['rule_source']
new_rule.rule_version = 1
new_rule.save()
rule_id = new_rule.id
# MetaData
meta_list = re.findall('meta:(.*)strings:', single_rule, re.DOTALL)
if len(meta_list) > 0:
with transaction.commit_on_success():
for line in meta_list[0].split('\n'):
if '=' in line:
meta_lines = line.split('=')
key = meta_lines[0]
try:
value = re.findall('"(.*)"', line)[0]
except:
value = meta_lines[1]
rule_meta = MetaData(rule=new_rule,
meta_key=key.strip(),
meta_value=value.strip())
rule_meta.save()
# Strings
string_list = re.findall('strings:(.*)condition:', single_rule, re.DOTALL)
if len(string_list) > 0:
with transaction.commit_on_success():
for line in string_list[0].split('\n'):
if '=' in line:
string_type = False
# get the string ID
key = line.split('=')[0].strip()
string_data = line.split('=')[1]
string_nocase = string_wide = string_full = string_ascii = False
if string_data.strip().startswith('"'):
standard_string = re.findall('"(.*)"', line)
if len(standard_string) != 0:
string_type = 'String'
string_value = standard_string[0]
if 'nocase' in line.split('"')[-1]:
string_nocase = True
if 'wide' in line.split('"')[-1]:
string_wide = True
if 'fullword' in line.split('"')[-1]:
string_full = True
if 'ascii' in line.split('"')[-1]:
string_ascii = True
# Check for a hex string
if not string_type and string_data.strip().startswith('{'):
hex_string = re.findall('{(.*)}', line)
if len(hex_string) != 0:
string_type = 'Hex'
string_value = hex_string[0]
# Check for a regex
# This has an annoying habbit of matching comments
if not string_type and string_data.strip().startswith('/'):
reg_string = re.findall('/(.*)/', line)
if len(reg_string) != 0:
if reg_string[0] not in ['', '/']:
string_type = 'RegEx'
string_value = reg_string[0]
if string_type:
rule_strings = RuleStrings(rule=new_rule,
string_type=string_type,
string_name=key,
string_value=string_value,
string_nocase=string_nocase,
string_wide=string_wide,
string_full=string_full,
string_ascii=string_ascii)
rule_strings.save()
# Condition
condition = re.findall('condition:(.*)}', single_rule, re.DOTALL)
condition = condition[0].strip()
cond_string = Condition(rule=new_rule, condition=condition)
cond_string.save()
# Store the category
cat_list = []
for name in Category.objects.all():
cat_list.append(name.cat_name)
if rule_dict['rule_category'] not in cat_list:
cat = Category(cat_name=rule_dict['rule_category'])
cat.save()
def post_data(request, add_type):
"""
Add Type is passed via the URI
Valid Types and actions are:
rule - new, update
"""
# If not authenticated
if not request.user.is_authenticated():
error_line = "You need to be logged in to perform that action"
return render(request, 'error.html', {'error': error_line})
# Get all the POST Vars
action = request.POST['action']
if add_type == 'rule':
rule_id = request.POST['rule_id']
if action == 'delete':
Rule.objects.filter(id=rule_id).delete()
return redirect('/')
if action == 'new':
# need to get the rule details in to post before i look at this.
pass
elif action == 'update':
rule = Rule.objects.get(pk=rule_id)
rule.rule_version += 1
rule_condition = Condition.objects.get(rule=rule)
rule.save()
else:
error_line = "Not a valid Action Type"
return render(request, 'error.html', {'error': error_line})
#meta data
meta_ids = request.POST.getlist('meta_id')
meta_values = request.POST.getlist('metaValues')
meta_keys = request.POST.getlist('metaKeys')
meta_save = []
for i in range(len(meta_values)):
if meta_ids[i] == 'new':
meta_data = MetaData()
meta_data.rule = rule
else:
meta_data = MetaData.objects.get(pk=meta_ids[i])
meta_data.meta_key = meta_keys[i]
meta_data.meta_value = meta_values[i]
meta_data.save()
meta_save.append(meta_data.id)
# Delete Rows
meta_db = rule.metadata_set.all()
for obj in meta_db:
if obj.id not in meta_save:
print "dropping Meta with ID", obj.id
MetaData.objects.filter(id=obj.id).delete()
# Strings
string_ids = request.POST.getlist('string_id')
string_names = request.POST.getlist('stringName')
string_values = request.POST.getlist('stringValues')
string_nocases = request.POST.getlist('caseValues')
string_wides = request.POST.getlist('wideValues')
string_fulls = request.POST.getlist('fullValues')
string_asciis = request.POST.getlist('asciiValues')
# Collect the string vars
string_save = []
for i in range(len(string_names)):
if string_ids[i] == 'new':
rule_strings = RuleStrings()
rule_strings.rule = rule
else:
rule_strings = RuleStrings.objects.get(pk=string_ids[i])
rule_strings.string_name = string_names[i]
rule_strings.string_value = string_values[i]
rule_strings.string_nocase = True if string_nocases[i] == '1' else False
rule_strings.string_wide = True if string_wides[i] == '1' else False
rule_strings.string_full = True if string_fulls[i] == '1' else False
rule_strings.string_ascii = True if string_asciis[i] == '1' else False
rule_strings.save()
string_save.append(rule_strings.id)
# Delete Rows
string_db = rule.rulestrings_set.all()
for obj in string_db:
if obj.id not in string_save:
print "dropping String with ID", obj.id
RuleStrings.objects.filter(id=obj.id).delete()
return redirect('/rule/{0}'.format(rule_id))
# Add Rules
if add_type == 'addfile':
rule_file = request.FILES
rule_source = request.POST['Source']
rule_category = request.POST['Category']
if rule_file and action == 'new':
rule_file = rule_file['rule_file']
rule_data = rule_file.read()
ruleparser.split_rules({'rule_data':rule_data, 'rule_source':rule_source, 'rule_category':rule_category})
return redirect('/')
def process_rule(single_rule, rule_dict):
cat = AddNew_Tag(rule_dict['rule_category'])
# Store the category
# Break a rule down in to sections
new_rule = Rule()
# Unique hash body of rule
new_rule.rule_hash = hashlib.sha256(single_rule.encode('utf8')).hexdigest()
new_rule.rule_name = single_rule.split('{')[0].replace('rule ', '')
new_rule.rule_source = rule_dict['rule_source']
new_rule.rule_version = 1
# With integrity error avoid duplicate
try:
new_rule.save()
new_rule.rule_category.add(cat)
except:
# IntegrityError as e:
return ()
rule_id = new_rule.id
# MetaData
meta_list = re.findall('meta:(.*)strings:', single_rule, re.DOTALL)
if len(meta_list) > 0:
with transaction.atomic():
for line in meta_list[0].split('\n'):
if '=' in line:
meta_lines = line.split('=')
key = meta_lines[0]
try:
value = re.findall('"(.*)"', line)[0]
except:
value = meta_lines[1]
rule_meta = MetaData(rule=new_rule,
meta_key=key.strip(),
meta_value=value.strip())
rule_meta.save()
# Strings
string_list = re.findall('strings:(.*)condition:', single_rule, re.DOTALL)
if len(string_list) > 0:
with transaction.atomic():
for line in string_list[0].split('\n'):
if '=' in line:
string_type = False
# get the string ID
key = line.split('=')[0].strip()
string_data = line.split('=')[1]
string_nocase = string_wide = string_full = string_ascii = False
if string_data.strip().startswith('"'):
standard_string = re.findall('"(.*)"', line)
if len(standard_string) != 0:
string_type = 'String'
string_value = standard_string[0]
if 'nocase' in line.split('"')[-1]:
string_nocase = True
if 'wide' in line.split('"')[-1]:
string_wide = True
if 'fullword' in line.split('"')[-1]:
string_full = True
if 'ascii' in line.split('"')[-1]:
string_ascii = True
# Check for a hex string
if not string_type and string_data.strip().startswith('{'):
hex_string = re.findall('{(.*)}', line)
if len(hex_string) != 0:
string_type = 'Hex'
string_value = hex_string[0]
# Check for a regex
# This has an annoying habbit of matching comments
if not string_type and string_data.strip().startswith('/'):
reg_string = re.findall('/(.*)/', line)
if len(reg_string) != 0:
if reg_string[0] not in ['', '/']:
string_type = 'RegEx'
string_value = reg_string[0]
if string_type:
rule_strings = RuleStrings(rule=new_rule,
string_type=string_type,
string_name=key,
string_value=string_value,
string_nocase=string_nocase,
string_wide=string_wide,
string_full=string_full,
string_ascii=string_ascii)
rule_strings.save()
# Condition
condition = re.findall('condition:(.*)}', single_rule, re.DOTALL)
condition = condition[0].strip()
cond_string = Condition(rule=new_rule, condition=condition)
cond_string.save()
def post_data(request, add_type):
"""
Add Type is passed via the URI
Valid Types and actions are:
rule - new, update
"""
# If not authenticated
if not request.user.is_authenticated():
error_line = "You need to be logged in to perform that action"
return render(request, 'error.html', {'error': error_line})
# Get all the POST Vars
action = request.POST['action']
if add_type == 'rule':
rule_id = request.POST['rule_id']
if action == 'delete':
Rule.objects.filter(id=rule_id).delete()
return redirect('/')
if action == 'new':
# need to get the rule details in to post before i look at this.
pass
elif action == 'update':
rule = Rule.objects.get(pk=rule_id)
rule.rule_version += 1
rule_condition = Condition.objects.get(rule=rule)
rule.save()
else:
error_line = "Not a valid Action Type"
return render(request, 'error.html', {'error': error_line})
#meta data
meta_ids = request.POST.getlist('meta_id')
meta_values = request.POST.getlist('metaValues')
meta_keys = request.POST.getlist('metaKeys')
meta_save = []
for i in range(len(meta_values)):
if meta_ids[i] == 'new':
meta_data = MetaData()
meta_data.rule = rule
else:
meta_data = MetaData.objects.get(pk=meta_ids[i])
meta_data.meta_key = meta_keys[i]
meta_data.meta_value = meta_values[i]
meta_data.save()
meta_save.append(meta_data.id)
# Delete Rows
meta_db = rule.metadata_set.all()
for obj in meta_db:
if obj.id not in meta_save:
print "dropping Meta with ID", obj.id
MetaData.objects.filter(id=obj.id).delete()
# Strings
string_ids = request.POST.getlist('string_id')
string_names = request.POST.getlist('stringName')
string_values = request.POST.getlist('stringValues')
string_nocases = request.POST.getlist('caseValues')
string_wides = request.POST.getlist('wideValues')
string_fulls = request.POST.getlist('fullValues')
string_asciis = request.POST.getlist('asciiValues')
# Collect the string vars
string_save = []
for i in range(len(string_names)):
if string_ids[i] == 'new':
rule_strings = RuleStrings()
rule_strings.rule = rule
else:
rule_strings = RuleStrings.objects.get(pk=string_ids[i])
rule_strings.string_name = string_names[i]
rule_strings.string_value = string_values[i]
rule_strings.string_nocase = True if string_nocases[i] == '1' else False
rule_strings.string_wide = True if string_wides[i] == '1' else False
rule_strings.string_full = True if string_fulls[i] == '1' else False
rule_strings.string_ascii = True if string_asciis[i] == '1' else False
rule_strings.save()
string_save.append(rule_strings.id)
# Delete Rows
string_db = rule.rulestrings_set.all()
for obj in string_db:
if obj.id not in string_save:
print "dropping String with ID", obj.id
RuleStrings.objects.filter(id=obj.id).delete()
return redirect('/rule/{0}'.format(rule_id))
# Add Rules
if add_type == 'addfile':
rule_file = request.FILES
rule_source = request.POST['Source']
rule_category = request.POST['Category']
if rule_file and action == 'new':
rule_file = rule_file['rule_file']
rule_data = rule_file.read()
ruleparser.split_rules({'rule_data':rule_data, 'rule_source':rule_source, 'rule_category':rule_category})
return redirect('/')
def process_rule(single_rule, rule_dict):
# Break a rule down in to sections
new_rule = Rule()
new_rule.rule_name = single_rule.split('{')[0].replace('rule ', '')
new_rule.rule_category = rule_dict['rule_category']
new_rule.rule_source = rule_dict['rule_source']
new_rule.rule_version = 1
new_rule.save()
rule_id = new_rule.id
# MetaData
meta_list = re.findall('meta:(.*)strings:', single_rule, re.DOTALL)
if len(meta_list) > 0:
with transaction.commit_on_success():
for line in meta_list[0].split('\n'):
if '=' in line:
meta_lines = line.split('=')
key = meta_lines[0]
try:
value = re.findall('"(.*)"', line)[0]
except:
value = meta_lines[1]
rule_meta = MetaData(rule=new_rule, meta_key=key.strip(), meta_value=value.strip())
rule_meta.save()
# Strings
string_list = re.findall('strings:(.*)condition:', single_rule, re.DOTALL)
if len(string_list) > 0:
with transaction.commit_on_success():
for line in string_list[0].split('\n'):
if '=' in line:
string_type = False
# get the string ID
key = line.split('=')[0].strip()
string_data = line.split('=')[1]
string_nocase = string_wide = string_full = string_ascii = False
if string_data.strip().startswith('"'):
standard_string = re.findall('"(.*)"', line)
if len(standard_string) != 0:
string_type = 'String'
string_value = standard_string[0]
if 'nocase' in line.split('"')[-1]:
string_nocase = True
if 'wide' in line.split('"')[-1]:
string_wide = True
if 'fullword' in line.split('"')[-1]:
string_full = True
if 'ascii' in line.split('"')[-1]:
string_ascii = True
# Check for a hex string
if not string_type and string_data.strip().startswith('{'):
hex_string = re.findall('{(.*)}', line)
if len(hex_string) != 0:
string_type = 'Hex'
string_value = hex_string[0]
# Check for a regex
# This has an annoying habbit of matching comments
if not string_type and string_data.strip().startswith('/'):
reg_string = re.findall('/(.*)/', line)
if len(reg_string) != 0:
if reg_string[0] not in ['', '/']:
string_type = 'RegEx'
string_value = reg_string[0]
if string_type:
rule_strings = RuleStrings(rule=new_rule,
string_type = string_type,
string_name = key,
string_value = string_value,
string_nocase = string_nocase,
string_wide = string_wide,
string_full = string_full,
string_ascii = string_ascii
)
rule_strings.save()
# Condition
condition = re.findall('condition:(.*)}', single_rule, re.DOTALL)
condition = condition[0].strip()
cond_string = Condition(rule=new_rule, condition=condition)
cond_string.save()
# Store the category
cat_list = []
for name in Category.objects.all():
cat_list.append(name.cat_name)
if rule_dict['rule_category'] not in cat_list:
cat = Category(cat_name=rule_dict['rule_category'])
cat.save()
