def test_parse_rule_with_two_metadata():
rule = parse_rule(
'alert tcp any any -> any any (msg:"Message"; metadata:former_category TROJAN; '
'sid:1; rev:1; metadata:malware_family Crypton, malware_family Nemesis;)'
)
metadata_opts = [opt for opt in rule.options if opt.name == "metadata"]
assert len(metadata_opts) == 2
def test_add_option_with_index():
rule = parse_rule('alert http any any -> any any (msg:"Message";sid:1;)')
rule.add_option("http_uri", index=1)
assert str(
rule
) == 'alert http any any -> any any (msg:"Message"; http_uri; sid:1;)'
assert rule.options[1] == Option("http_uri")
def test_add_option():
rule = parse_rule('alert http any any -> any any (msg:"Message";sid:1;)')
rule.add_option("http_uri")
assert str(
rule
) == 'alert http any any -> any any (msg:"Message"; sid:1; http_uri;)'
assert rule.options[2] == Option("http_uri")
def test_parse_rule_with_list():
rule = 'alert http any any -> [1.1.1.1, 1.1.1.2] any (sid:1; rev:1; http_uri;)'
parsed_rule = parse_rule(rule)
assert parsed_rule
assert parsed_rule.enabled
assert parsed_rule.action == "alert"
assert parsed_rule.header == "http any any -> [1.1.1.1, 1.1.1.2] any"
def test_change_classtype():
rule = parse_rule(
'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; '
'metadata:k v;)')
assert rule.classtype == 'trojan-activity'
rule.pop_option("classtype")
rule.add_option("classtype", "backdoor")
assert rule.classtype == "backdoor"
def rule_filter(all_lines, mode='released'):
after_filter = []
for line in all_lines:
rule = parse_rule(line)
if line[0] != '#' and rule.classtype == 'protocol-command-decode':
line = '# ' + line
after_filter.append(line)
return after_filter
def test_pop_option():
rule = parse_rule(
'drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick '
'in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; '
'content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emerging'
'threats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2; gid:1;)'
)
assert rule
rule.pop_option("pcre")
assert len(rule.options) == 9
assert str(rule) == 'drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick ' \
'in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; ' \
'content:”NICK “; reference:url,doc.emergingthreats.net/2008124; ' \
'classtype:trojan-activity; sid:2008124; rev:2; gid:1;)'
def parse_a_rule(line):
rule = parse_rule(line)
if rule:
if rule.enabled == True:
the_rule = {}
the_rule['sid'] = rule.sid
the_rule['gid'] = rule._gid
the_rule['rev'] = rule.rev
the_rule['action'] = rule.action
the_rule['classtype'] = rule.classtype
the_rule['msg'] = rule.msg
the_rule['header'] = rule.header
the_rule['metadata'] = parse_list_value(rule.metadata)
the_rule['options'] = parse_list_value(rule.options)
return the_rule
return None
def test_parse_rule():
rule = 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ' \
'(msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June ' \
'19 2012 exe or zip"; flow:established,to_server; content:"setup."; ' \
'fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; ' \
'flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?' \
'setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; ' \
'reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; ' \
'classtype:trojan-activity; sid: 2014929; rev: 1;)'
parsed_rule = parse_rule(rule)
assert parsed_rule.enabled is True
assert parsed_rule.action == "alert"
assert parsed_rule.header == "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS"
assert parsed_rule.sid == 2014929
assert parsed_rule.rev == 1
assert parsed_rule.msg == 'ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip'
assert len(parsed_rule.options) == 16
def test_rule_data_repr():
rule = parse_rule(
'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; '
'metadata:k v;)')
assert rule.to_dict() == {
"enabled":
True,
"action":
"alert",
"header":
"tcp any any -> any any",
"options": [{
"name": "msg",
"value": '"Message"'
}, {
"name": "classtype",
"value": "trojan-activity"
}, {
"name": "metadata",
"value": ["k v"]
}]
}
def test_parse_something():
rule = parse_rule('# This is suricata rule')
assert rule is None
def test_parse_rule_with_wrong_action():
rule = parse_rule('dig tcp any any - any any (sid:1;)')
assert rule is None
def test_parse_rule_with_broken_options():
rule = 'alert tcp any any -> any any (sid:1)'
with pytest.raises(RuleParseException):
parse_rule(rule)
def test_turn_off_rule():
rule = parse_rule('alert tcp any any -> any any (sid: 1;)')
assert rule.enabled
rule.enabled = False
assert not rule.enabled
def test_parse_commented_and_space_rule():
rule = '## #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Text";)'
parsed_rule = parse_rule(rule)
assert parsed_rule.enabled is False
assert parsed_rule.raw == 'alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Text";)'
def test_parse_double_commented_rule():
rule = '## alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)'
parsed_rule = parse_rule(rule)
assert parsed_rule.enabled is False
assert parsed_rule.raw == 'alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)'
def test_parse_disabled_rule():
rule = '# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";)'
parsed_rule = parse_rule(rule)
assert parsed_rule.enabled is False
def test_get_option():
rule = parse_rule(
'alert tcp any any -> any any (msg:"Message"; classtype:trojan-activity; '
'metadata:k v;)')
options = rule.get_option("msg")
assert options == [Option("msg", '"Message"')]
def test_parse_rule_with_semicolon_in_msg():
rule = parse_rule('alert tcp any any -> any any (msg:"Message\\;text";)')
assert rule.msg == 'Message\\;text'
def test_parse_rule_with_colon_in_options():
rule = parse_rule('alert tcp any any -> any any (msg:"Message: text";)')
assert rule
assert rule.msg == 'Message: text'
def test_parse_rule_with_empty_metadata():
with pytest.raises(RuleParseException):
parse_rule('alert tcp any any -> any any (sid:1; metadata;)')
def test_parse_rule_like_string():
assert parse_rule("# I am Senate (c)") is None
assert parse_rule(" I am Senate (c)") is None
assert parse_rule("You (Senate)") is None
assert parse_rule("#()") is None
def test_rule_repr():
rule = parse_rule('alert http any any -> any any (sid: 1; http_uri;)')
rule.enabled = False
assert str(rule) == '# alert http any any -> any any (sid: 1; http_uri;)'