make sure that noalert is set in newly enabled rules

This commit adds functionality that ensures that previously
disabled rules enabled by flowbit dependencies will receive
the noalert option.

diff --git a/suricata/update/main.py b/suricata/update/main.py
index e81646ee9b115a649eff2fe37097de5c0090c137..ea96156654712e2d1c7ed78f44b09d61c65686c6 100644 (file)
--- a/suricata/update/main.py
+++ b/suricata/update/main.py
@@ -725,6 +725,7 @@ def resolve_flowbits(rulemap, disabled_rules):
                     "Enabling previously disabled rule for flowbits: %s" % (
                         rule.brief()))
             rule.enabled = True
+            rule.noalert = True
             flowbit_enabled.add(rule)
     logger.info("Enabled %d rules for flowbit dependencies." % (
         len(flowbit_enabled)))

diff --git a/suricata/update/rule.py b/suricata/update/rule.py
index 95d81a479b871106fc6b0ce39b66ec27dcd20282..25e3b0a841d5c2b8f583d16b55311097161fb7eb 100644 (file)
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -146,6 +146,8 @@ class Rule(dict):
         return self.format()
 
     def format(self):
+        if self.noalert and not "noalert;" in self.raw:
+            self.raw = re.sub(r'( *sid\: *[0-9]+\;)', r' noalert;\1', self.raw)
         return u"%s%s" % (u"" if self.enabled else u"# ", self.raw)
 
 def find_opt_end(options):