def test_scratch(self):
rule_string = """alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)"""
rule = idstools.rule.parse(rule_string)
self.assertEquals(rule_string, str(rule))
options = []
for option in rule["options"]:
if option["value"] is None:
options.append(option["name"])
else:
options.append("%s:%s" % (option["name"], option["value"]))
reassembled = "%s (%s)" % (rule["header"], rule.rebuild_options())
print("")
print("%s" % rule_string)
print("%s" % reassembled)
self.assertEquals(rule_string, reassembled)
def test_scratch(self):
rule_string = """alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)"""
rule = idstools.rule.parse(rule_string)
self.assertEquals(rule_string, str(rule))
options = []
for option in rule["options"]:
if option["value"] is None:
options.append(option["name"])
else:
options.append("%s:%s" % (option["name"], option["value"]))
reassembled = "%s (%s)" % (rule["header"], rule.rebuild_options())
print("")
print("%s" % rule_string)
print("%s" % reassembled)
self.assertEquals(rule_string, reassembled)