From: Jason Ish <ish@unx.ca>
Date: Thu, 31 Jan 2019 04:32:55 +0000 (-0600)
Subject: rule: set noalert field to True of noalert flowbit set
X-Git-Tag: 1.1.0rc1~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b146f0d6d4df16e22e31e633135f1c99278af3e3;p=thirdparty%2Fsuricata-update.git

rule: set noalert field to True of noalert flowbit set

This is done to check if a rule is noalert instead of iterating
through the options as the options list is being removed.
---

diff --git a/suricata/update/main.py b/suricata/update/main.py
index e048c67..db55b42 100644
--- a/suricata/update/main.py
+++ b/suricata/update/main.py
@@ -286,14 +286,8 @@ class DropRuleFilter(object):
     def __init__(self, matcher):
         self.matcher = matcher
 
-    def is_noalert(self, rule):
-        for option in rule.options:
-            if option["name"] == "flowbits" and option["value"] == "noalert":
-                return True
-        return False
-
     def match(self, rule):
-        if self.is_noalert(rule):
+        if rule["noalert"]:
             return False
         return self.matcher.match(rule)
 
diff --git a/suricata/update/rule.py b/suricata/update/rule.py
index 8474b68..4307c6c 100644
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -75,6 +75,7 @@ class Rule(dict):
     - **references**: References as a list
     - **classtype**: The classification type
     - **priority**: The rule priority, 0 if not provided
+    - **noalert**: Is the rule a noalert rule
     - **raw**: The raw rule as read from the file or buffer
 
     :param enabled: Optional parameter to set the enabled state of the rule
@@ -103,6 +104,7 @@ class Rule(dict):
         self["references"] = []
         self["classtype"] = None
         self["priority"] = 0
+        self["noalert"] = False
 
         self["options"] = []
 
@@ -307,6 +309,8 @@ def parse(buf, group=None):
             rule[name] += [v.strip() for v in val.split(",")]
         elif name == "flowbits":
             rule.flowbits.append(val)
+            if val.find("noalert") > -1:
+                rule["noalert"] = True
         elif name == "reference":
             rule.references.append(val)
         elif name == "msg":
diff --git a/tests/test_rule.py b/tests/test_rule.py
index affe2cd..bc59f9d 100644
--- a/tests/test_rule.py
+++ b/tests/test_rule.py
@@ -111,6 +111,15 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
         rule = suricata.update.rule.parse(rule_string)
         self.assertEqual("", rule["msg"])
 
+    def test_noalert(self):
+        rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertFalse(rule["noalert"])
+
+        rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:noalert; sid:10000000; rev:1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertTrue(rule["noalert"])
+
     def test_add_option(self):
         rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)"""
         rule = suricata.update.rule.parse(rule_string, "local.rules")