コード例 #1
0
    def test_clear(self):
        # instantiate parser
        parser = Plyara()

        # open a ruleset with one or more rules
        with data_dir.joinpath('test_ruleset_2_rules.yar').open('r') as fh:
            inputRules = fh.read()

        # parse the rules
        parser.parse_string(inputRules)

        # clear the parser's state
        parser.clear()

        # has lineno been reset
        self.assertEqual(parser.lexer.lineno, 1)

        # open a ruleset with one rule
        with data_dir.joinpath('test_ruleset_1_rule.yar').open('r') as fh:
            inputRules = fh.read()

        # parse the rules
        result = parser.parse_string(inputRules)

        # does the result contain just the rule from the second parse
        self.assertEqual(len(result), 1)
        self.assertEqual(result[0]['rule_name'], 'rule_one')
コード例 #2
0
    def issue_99(self):
        rules = list()
        plyara = Plyara()

        for file in data_dir.glob('issue99*.yar'):
            with open(file, 'r') as fh:
                yararules = plyara.parse_string(fh.read())
                self.assertEqual(len(yararules), 1)
                rules += yararules
            plyara.clear()
        self.assertEqual(len(rules), 2)
コード例 #3
0
ファイル: rule_sync.py プロジェクト: cezhunter/ThreatConnect 
def main():
    parser = Plyara()
    ds = tcex.datastore('organization', DATASTORE_HOME)
    updates_table = id_lookup_table = {}
    # ds.add(rid=DATASTORE_UPDATES_TABLE, data=updates_table)  # uncomment to wipe ds
    # ds.add(rid=DATASTORE_ID_LOOKUP_TABLE, data=id_lookup_table)
    # return
    try:
        updates_table = ds.get(rid=DATASTORE_UPDATES_TABLE)['_source']
    except RuntimeError:
        ds.add(rid=DATASTORE_UPDATES_TABLE, data=updates_table)
    try:
        id_lookup_table = ds.get(rid=DATASTORE_ID_LOOKUP_TABLE)['_source']
    except RuntimeError:
        ds.add(rid=DATASTORE_ID_LOOKUP_TABLE, data=id_lookup_table)
    try:
        mappings = ds.get(rid=DATASTORE_MAPPINGS)['_source']
        if isinstance(mappings, str):
            mappings = json.loads(mappings)
        if 'data' in mappings:
            mappings = mappings['data'] if isinstance(
                mappings['data'], dict) else json.loads(
                    mappings['data']
                )  # probably not necessary but just to be safe
    except RuntimeError as e:
        print(e.args[1])  # tcex log
        return
    r = get_rulesets(limit=40)
    data = next(r)
    while data:
        for ruleset in data:
            modification_date = ruleset['attributes']['modification_date']
            ruleset_name = ruleset['attributes']['name']
            ruleset_id = ruleset['id']
            last_update = updates_table.get(ruleset_id)
            # last_update = False  # uncomment when testing
            if not last_update or modification_date > last_update:
                raw_rules = ruleset['attributes']['rules']
                rules = parser.parse_string(raw_rules)
                create_rules_in_tc(rules, raw_rules.split('\n'), ruleset_name,
                                   id_lookup_table, mappings)
                print('{} Ruleset Processed'.format(ruleset_name))
            updates_table[str(ruleset_id)] = modification_date
            parser.clear()
        data = next(r)
    ds.add(rid=DATASTORE_UPDATES_TABLE, data=updates_table)
    ds.add(rid=DATASTORE_ID_LOOKUP_TABLE, data=id_lookup_table)