def __init__(self, rule):
self.re_mode = rule.re != r"^.*$" # Search by "re"
self.name = rule.name
try:
self.re = re.compile(rule.re)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" % (rule.re, why))
try:
self.key_re = re.compile(rule.key_re)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" %
(rule.key_re, why))
try:
self.value_re = re.compile(rule.value_re)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" %
(rule.value_re, why))
try:
self.rewrite_from = re.compile(rule.rewrite_from)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" %
(rule.rewrite_from, why))
self.rewrite_to = rule.rewrite_to
def __init__(self, classifier, rule, clone_rule=None):
self.classifier = classifier
self.rule = rule
self.preference = rule.preference
self.name = rule.name
if clone_rule:
self.name += "(Clone %s)" % clone_rule.name
if classifier.dump_clone:
# Dump cloned rule
logging.debug("Rule '%s' cloned by rule '%s'" %
(rule.name, clone_rule.name))
p0 = [(x.key_re, x.value_re) for x in rule.patterns]
p1 = [(y.key_re, y.value_re)
for y in [clone_rule.rewrite(x) for x in rule.patterns]]
logging.debug("%s -> %s" % (p0, p1))
self.event_class = rule.event_class
self.event_class_name = self.event_class.name
self.is_unknown = self.event_class_name.startswith("Unknown | ")
self.is_unknown_syslog = self.event_class_name.startswith(
"Unknown | Syslog")
self.datasources = {} # name -> DS
self.vars = {} # name -> value
self.chain = None
# Parse datasources
for ds in rule.datasources:
self.datasources[ds.name] = eval(
"lambda vars: datasource_registry['%s'](%s)" % (
ds.datasource,
", ".join([
"%s=vars['%s']" % (k, v)
for k, v in six.iteritems(ds.search)
]),
),
{"datasource_registry": datasource_registry},
{},
)
# Parse vars
for v in rule.vars:
value = v["value"]
if value.startswith("="):
value = compile(value[1:], "<string>", "eval")
self.vars[v["name"]] = value
# Parse patterns
c1 = []
c2 = {}
c3 = []
c4 = []
self.rxp = {}
self.fixups = set()
self.profile = r"^.*$"
for x in rule.patterns:
if clone_rule:
# Rewrite, when necessary
x = clone_rule.rewrite(x)
x_key = None
rx_key = None
x_value = None
rx_value = None
# Store profile
if x.key_re in ("profile", "^profile$"):
self.profile = x.value_re
continue
elif x.key_re in ("source", "^source$"):
if x.value_re == "^syslog$":
self.chain = "syslog"
elif x.value_re == "^SNMP Trap$":
self.chain = "snmp_trap"
else:
self.chain = "other"
continue
# Process key pattern
if self.is_exact(x.key_re):
x_key = self.unescape(x.key_re[1:-1])
else:
try:
rx_key = re.compile(self.unhex_re(x.key_re),
re.MULTILINE | re.DOTALL)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" %
(x.key_re, why))
# Process value pattern
if self.is_exact(x.value_re):
x_value = self.unescape(x.value_re[1:-1])
else:
try:
rx_value = re.compile(self.unhex_re(x.value_re),
re.MULTILINE | re.DOTALL)
except Exception as why:
raise InvalidPatternException("Error in '%s': %s" %
(x.value_re, why))
# Save patterns
if x_key:
if x_value:
c1 += ["vars.get('%s') == '%s'" % (x_key, x_value)]
else:
if not (self.chain == "syslog" and x_key == "message"):
c1 += ["'%s' in vars" % x_key]
c2[x_key] = self.get_rx(rx_value)
else:
if x_value:
c3 += [(self.get_rx(rx_key), x_value)]
else:
c4 += [(self.get_rx(rx_key), self.get_rx(rx_value))]
self.to_drop = self.event_class.action == "D"
self.compile(c1, c2, c3, c4)