parts = entry.split(":")
if not parts:
return None
+
+ # The first part musth parse as a number, if not, its
+ # not a signature ID expression.
+ try:
+ int(parts[0])
+ except:
+ return None
+
if len(parts) == 1:
try:
signatureId = int(parts[0])
except:
return None
+ # If no valid signature IDs were parsed, return None
+ if not matcher.signatureIds:
+ return None
+
return matcher
metadata_filter = matchers_mod.MetadataRuleMatch.parse(filter_string)
self.assertIsNotNone(metadata_filter)
self.assertTrue(metadata_filter.match(rule))
+
+class ReRuleMatcherTestCase(unittest.TestCase):
+
+ def test_parse_enable_conf_expression(self):
+ """Test regular expression matcher with multiple ':'.
+ Ticket: https://redmine.openinfosecfoundation.org/issues/7922
+ """
+ expression = r're:^.+\(msg:\"(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).+\s+sid:\s?(?!(2026850|2809199);).*$'
+ matcher = matchers_mod.parse_rule_match(expression)
+ self.assertEqual(matcher.__class__, matchers_mod.ReRuleMatcher)
projects / thirdparty / suricata-update.git / commitdiff
