def test_properties(self):
rule = rule_parser.Rule('#' + self._rule)
self.assertEqual('alert', rule.action)
self.assertEqual('tcp', rule.src_protocol)
self.assertEqual('$EXTERNAL_NET', rule.src_net)
self.assertEqual('any', rule.src_port)
self.assertEqual('$HOME_NET', rule.dst_net)
self.assertEqual('53', rule.dst_port)
def test_options(self):
rule = rule_parser.Rule('#' + self._rule)
self.assertTrue(rule.options)
self.assertEqual('to_server,established', rule.options.get('flow'))
self.assertEqual(
'"GPL DNS EXPLOIT named 8.2->8.2.1"', rule.options.get('msg'))
self.assertEqual('"../../../"', rule.options.get('content'))
self.assertEqual('bugtraq,788; cve,1999-0833', rule.options.get('reference'))
self.assertEqual('2100258', rule.options.get('sid'))
self.assertEqual('attempted-admin', rule.options.get('classtype'))
def fetch_rules(self):
logging.info("Fetching rules from '{}'".format(self._archive_url))
resp = request.urlopen(self._archive_url)
with io.BytesIO(resp.read()) as raw_archive:
with tarfile.open(fileobj=raw_archive) as tar:
logging.info('Downloaded archive containing files:')
for member in tar.getmembers():
if not member.isfile():
logging.info(
"tar member {} is not a file, passing...".format(member.name))
continue
if ".." in member.name:
logging.error(
"tar file member contained a possible malicious file (..): {}".format(
member.name))
continue
if member.name.startswith("/"):
logging.error(
"tar file member contained a possible malicious file (/): {}".format(
member.name))
continue
with open(os.path.join(self._outpath, member.name), "w") as f:
for line in tar.extractfile(member).readlines():
line = line.decode()
if not rule_parser.Rule.is_rule_line(line):
f.write(line)
continue
rule = rule_parser.Rule(line)
if self._whitelist:
for whitelist_key, whitelist_pattern in self._whitelist:
if (whitelist_key in rule._options and
whitelist_pattern.match(rule.options[whitelist_key])):
logging.debug('Whitelist rule {}:{} matched {}'.format(
whitelist_key, whitelist_pattern, line))
f.write(rule.as_uncommented)
break
else:
logging.debug('No whitelist rule matched {}'.format(line))
f.write(rule.as_commented)
elif self._blacklist:
for blacklist_key, blacklist_pattern in self._blacklist:
if (blacklist_key in rule.options and
blacklist_pattern.match(rule.options[blacklist_key])):
logging.debug('Blacklist rule {}:{} matched {}'.format(
blacklist_key, blacklist_pattern, line))
f.write(rule.as_commented)
break
else:
logging.debug('No blacklist rule matched {}'.format(line))
f.write(rule.as_uncommented)
else:
f.write(line)
logging.info("Finished writing rules to {}".format(self._outpath))
def test_commented(self):
rule = rule_parser.Rule('#' + self._rule)
self.assertTrue(rule.commented)
def test_not_commented(self): rule = rule_parser.Rule(self._rule) self.assertFalse(rule.commented)
def test_repr(self): rule = rule_parser.Rule(self._rule) self.assertTrue(str(rule))
def test_output_as_commented_or_not(self):
rule = rule_parser.Rule(self._rule)
self.assertTrue(rule.as_commented.startswith('#'))
self.assertFalse(rule.as_uncommented.startswith('#'))
self.assertEqual(rule.as_uncommented, self._rule)