rules: store the addrs and ports in the rule structure

author Jason Ish <ish@unx.ca>

Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)

committer Jason Ish <ish@unx.ca>

Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)
author Jason Ish <ish@unx.ca>
Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)
committer Jason Ish <ish@unx.ca>
Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)
diff --git a/suricata/update/rule.py b/suricata/update/rule.py

index c34eadd633d6b825ce61ea172f9c648839f23145..1a1e57c75df73f1239ff8219268f738c3aa8be03 100644 (file)
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -212,6 +212,8 @@ def parse(buf, group=None):
  
      header = m.group("header").strip()
  
+    rule = Rule(enabled=enabled, group=group)
+
      # If a decoder rule, the header will be one word.
      if len(header.split(" ")) == 1:
          action = header
@@ -250,24 +252,24 @@ def parse(buf, group=None):
              if states[state] == "action":
                  action = token
              elif states[state] == "proto":
-                proto = token
+                rule["proto"] = token
              elif states[state] == "source_addr":
-                source_addr = token
+                rule["source_addr"] = token
              elif states[state] == "source_port":
-                source_port = token
+                rule["source_port"] = token
              elif states[state] == "direction":
                  direction = token
              elif states[state] == "dest_addr":
-                dest_addr = token
+                rule["dest_addr"] = token
              elif states[state] == "dest_port":
-                dest_port = token
+                rule["dest_port"] = token
  
              state += 1
  
      if action not in actions:
          return None
  
-    rule = Rule(enabled=enabled, action=action, group=group)
+    rule["action"] = action
      rule["direction"] = direction
      rule["header"] = header
  
diff --git a/tests/test_rule.py b/tests/test_rule.py

index e1a351079473b19c557560f1cebf469adc54090b..742b6fcd65fff9827d1dab90a7c21f686a192ddc 100644 (file)
--- a/tests/test_rule.py
+++ b/tests/test_rule.py
@@ -200,13 +200,17 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
      
          rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] any -> any any (msg:"TEST"; sid:1; rev:1;)""")
          self.assertIsNotNone(rule)
-        
-        rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> any any (msg:"TEST"; sid:1; rev:1;)""")
+        self.assertEqual(rule["source_addr"], "[$HOME_NET, $OTHER_NET]")
+
+        rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1, 2, 3] -> any any (msg:"TEST"; sid:1; rev:1;)""")
          self.assertIsNotNone(rule)
+        self.assertEqual(rule["source_port"], "[1, 2, 3]")
  
          rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] any (msg:"TEST"; sid:1; rev:1;)""")
          self.assertIsNotNone(rule)
+        self.assertEqual(rule["dest_addr"], "[!$XNET, $YNET]")
  
-        rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] [!2200] (msg:"TEST"; sid:1; rev:1;)""")
+        rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] [!2200, 5500] (msg:"TEST"; sid:1; rev:1;)""")
          self.assertIsNotNone(rule)
+        self.assertEqual(rule["dest_port"], "[!2200, 5500]")
author	Jason Ish <ish@unx.ca>
	Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)
committer	Jason Ish <ish@unx.ca>
	Mon, 19 Feb 2018 13:58:57 +0000 (07:58 -0600)
suricata/update/rule.py		patch \| blob \| blame \| history
tests/test_rule.py		patch \| blob \| blame \| history