def test_properties(self): rule = rule_parser.Rule('#' + self._rule) self.assertEqual('alert', rule.action) self.assertEqual('tcp', rule.src_protocol) self.assertEqual('$EXTERNAL_NET', rule.src_net) self.assertEqual('any', rule.src_port) self.assertEqual('$HOME_NET', rule.dst_net) self.assertEqual('53', rule.dst_port)
def test_options(self): rule = rule_parser.Rule('#' + self._rule) self.assertTrue(rule.options) self.assertEqual('to_server,established', rule.options.get('flow')) self.assertEqual( '"GPL DNS EXPLOIT named 8.2->8.2.1"', rule.options.get('msg')) self.assertEqual('"../../../"', rule.options.get('content')) self.assertEqual('bugtraq,788; cve,1999-0833', rule.options.get('reference')) self.assertEqual('2100258', rule.options.get('sid')) self.assertEqual('attempted-admin', rule.options.get('classtype'))
def fetch_rules(self): logging.info("Fetching rules from '{}'".format(self._archive_url)) resp = request.urlopen(self._archive_url) with io.BytesIO(resp.read()) as raw_archive: with tarfile.open(fileobj=raw_archive) as tar: logging.info('Downloaded archive containing files:') for member in tar.getmembers(): if not member.isfile(): logging.info( "tar member {} is not a file, passing...".format(member.name)) continue if ".." in member.name: logging.error( "tar file member contained a possible malicious file (..): {}".format( member.name)) continue if member.name.startswith("/"): logging.error( "tar file member contained a possible malicious file (/): {}".format( member.name)) continue with open(os.path.join(self._outpath, member.name), "w") as f: for line in tar.extractfile(member).readlines(): line = line.decode() if not rule_parser.Rule.is_rule_line(line): f.write(line) continue rule = rule_parser.Rule(line) if self._whitelist: for whitelist_key, whitelist_pattern in self._whitelist: if (whitelist_key in rule._options and whitelist_pattern.match(rule.options[whitelist_key])): logging.debug('Whitelist rule {}:{} matched {}'.format( whitelist_key, whitelist_pattern, line)) f.write(rule.as_uncommented) break else: logging.debug('No whitelist rule matched {}'.format(line)) f.write(rule.as_commented) elif self._blacklist: for blacklist_key, blacklist_pattern in self._blacklist: if (blacklist_key in rule.options and blacklist_pattern.match(rule.options[blacklist_key])): logging.debug('Blacklist rule {}:{} matched {}'.format( blacklist_key, blacklist_pattern, line)) f.write(rule.as_commented) break else: logging.debug('No blacklist rule matched {}'.format(line)) f.write(rule.as_uncommented) else: f.write(line) logging.info("Finished writing rules to {}".format(self._outpath))
def test_commented(self): rule = rule_parser.Rule('#' + self._rule) self.assertTrue(rule.commented)
def test_not_commented(self): rule = rule_parser.Rule(self._rule) self.assertFalse(rule.commented)
def test_repr(self): rule = rule_parser.Rule(self._rule) self.assertTrue(str(rule))
def test_output_as_commented_or_not(self): rule = rule_parser.Rule(self._rule) self.assertTrue(rule.as_commented.startswith('#')) self.assertFalse(rule.as_uncommented.startswith('#')) self.assertEqual(rule.as_uncommented, self._rule)