rule: recognise more noalert cases

This commit ensures that rules only tagged with "noalert;" option
and not only with "flowbits:noalert;" will get the rule.noalert
value set to true.

diff --git a/suricata/update/rule.py b/suricata/update/rule.py
index 25e3b0a841d5c2b8f583d16b55311097161fb7eb..781d8d8d5125f3683f48a9853b6d255bb5582853 100644 (file)
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -272,6 +272,8 @@ def parse(buf, group=None):
             rule.flowbits.append(val)
             if val and val.find("noalert") > -1:
                 rule["noalert"] = True
+        elif name == "noalert":
+            rule["noalert"] = True
         elif name == "reference":
             rule.references.append(val)
         elif name == "msg":

diff --git a/tests/test_rule.py b/tests/test_rule.py
index 3c788032a7e3e0d8b4045ee2bea8791754a4828d..900b71d9528bea50ab9c14315e6144f5260d93f9 100644 (file)
--- a/tests/test_rule.py
+++ b/tests/test_rule.py
@@ -120,6 +120,10 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
         rule = suricata.update.rule.parse(rule_string)
         self.assertTrue(rule["noalert"])
 
+        rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; noalert; sid:10000000; rev:1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertTrue(rule["noalert"])
+
     def test_parse_message_with_semicolon(self):
         rule_string = u"""alert ip any any -> any any (msg:"TEST RULE\; and some"; content:"uid=0|28|root|29|"; tag:session,5,packets; classtype:bad-unknown; sid:10000000; rev:1;)"""
         rule = suricata.update.rule.parse(rule_string)