From: Jason Ish Date: Mon, 19 Feb 2018 13:58:57 +0000 (-0600) Subject: rules: store the addrs and ports in the rule structure X-Git-Tag: 1.0.0rc1~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=945c8c1fffc1d5e804fa5c047b15594072e33fa9;p=thirdparty%2Fsuricata-update.git rules: store the addrs and ports in the rule structure Before they were being parsed but then thrown away. --- diff --git a/suricata/update/rule.py b/suricata/update/rule.py index c34eadd..1a1e57c 100644 --- a/suricata/update/rule.py +++ b/suricata/update/rule.py @@ -212,6 +212,8 @@ def parse(buf, group=None): header = m.group("header").strip() + rule = Rule(enabled=enabled, group=group) + # If a decoder rule, the header will be one word. if len(header.split(" ")) == 1: action = header @@ -250,24 +252,24 @@ def parse(buf, group=None): if states[state] == "action": action = token elif states[state] == "proto": - proto = token + rule["proto"] = token elif states[state] == "source_addr": - source_addr = token + rule["source_addr"] = token elif states[state] == "source_port": - source_port = token + rule["source_port"] = token elif states[state] == "direction": direction = token elif states[state] == "dest_addr": - dest_addr = token + rule["dest_addr"] = token elif states[state] == "dest_port": - dest_port = token + rule["dest_port"] = token state += 1 if action not in actions: return None - rule = Rule(enabled=enabled, action=action, group=group) + rule["action"] = action rule["direction"] = direction rule["header"] = header diff --git a/tests/test_rule.py b/tests/test_rule.py index e1a3510..742b6fc 100644 --- a/tests/test_rule.py +++ b/tests/test_rule.py @@ -200,13 +200,17 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \ rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] any -> any any (msg:"TEST"; sid:1; rev:1;)""") self.assertIsNotNone(rule) - - rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> any any (msg:"TEST"; sid:1; rev:1;)""") + self.assertEqual(rule["source_addr"], "[$HOME_NET, $OTHER_NET]") + + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1, 2, 3] -> any any (msg:"TEST"; sid:1; rev:1;)""") self.assertIsNotNone(rule) + self.assertEqual(rule["source_port"], "[1, 2, 3]") rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] any (msg:"TEST"; sid:1; rev:1;)""") self.assertIsNotNone(rule) + self.assertEqual(rule["dest_addr"], "[!$XNET, $YNET]") - rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] [!2200] (msg:"TEST"; sid:1; rev:1;)""") + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] [!2200, 5500] (msg:"TEST"; sid:1; rev:1;)""") self.assertIsNotNone(rule) + self.assertEqual(rule["dest_port"], "[!2200, 5500]")