rule: set noalert field to True of noalert flowbit set

This is done to check if a rule is noalert instead of iterating
through the options as the options list is being removed.

diff --git a/suricata/update/main.py b/suricata/update/main.py
index e048c679bf24d581eb5c55b64221219d680a6880..db55b42691385c2f98dcddc8e3dd1b62cd9c8b87 100644 (file)
--- a/suricata/update/main.py
+++ b/suricata/update/main.py
@@ -286,14 +286,8 @@ class DropRuleFilter(object):
     def __init__(self, matcher):
         self.matcher = matcher
 
-    def is_noalert(self, rule):
-        for option in rule.options:
-            if option["name"] == "flowbits" and option["value"] == "noalert":
-                return True
-        return False
-
     def match(self, rule):
-        if self.is_noalert(rule):
+        if rule["noalert"]:
             return False
         return self.matcher.match(rule)
 

diff --git a/suricata/update/rule.py b/suricata/update/rule.py
index 8474b68014800c4de8d4160735382e952bed513b..4307c6c5c7877e468cda0f74c2d7d51fdababdef 100644 (file)
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -75,6 +75,7 @@ class Rule(dict):
     - **references**: References as a list
     - **classtype**: The classification type
     - **priority**: The rule priority, 0 if not provided
+    - **noalert**: Is the rule a noalert rule
     - **raw**: The raw rule as read from the file or buffer
 
     :param enabled: Optional parameter to set the enabled state of the rule
@@ -103,6 +104,7 @@ class Rule(dict):
         self["references"] = []
         self["classtype"] = None
         self["priority"] = 0
+        self["noalert"] = False
 
         self["options"] = []
 
@@ -307,6 +309,8 @@ def parse(buf, group=None):
             rule[name] += [v.strip() for v in val.split(",")]
         elif name == "flowbits":
             rule.flowbits.append(val)
+            if val.find("noalert") > -1:
+                rule["noalert"] = True
         elif name == "reference":
             rule.references.append(val)
         elif name == "msg":

diff --git a/tests/test_rule.py b/tests/test_rule.py
index affe2cd9d55bcad7dfb570d500f939cf994d038d..bc59f9dd2e4e9ddac0aad406bafb018a19b341cc 100644 (file)
--- a/tests/test_rule.py
+++ b/tests/test_rule.py
@@ -111,6 +111,15 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
         rule = suricata.update.rule.parse(rule_string)
         self.assertEqual("", rule["msg"])
 
+    def test_noalert(self):
+        rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertFalse(rule["noalert"])
+
+        rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:noalert; sid:10000000; rev:1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertTrue(rule["noalert"])
+
     def test_add_option(self):
         rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)"""
         rule = suricata.update.rule.parse(rule_string, "local.rules")