From: Konstantin Klinger <konstantin.klinger@dcso.de>
Date: Fri, 10 May 2019 04:20:39 +0000 (+0200)
Subject: make sure that noalert is set in newly enabled rules
X-Git-Tag: 1.1.0rc1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc35a558f6a0bfcf5d2553891296fca4cec1ac41;p=thirdparty%2Fsuricata-update.git

make sure that noalert is set in newly enabled rules

This commit adds functionality that ensures that previously
disabled rules enabled by flowbit dependencies will receive
the noalert option.
---

diff --git a/suricata/update/main.py b/suricata/update/main.py
index e81646e..ea96156 100644
--- a/suricata/update/main.py
+++ b/suricata/update/main.py
@@ -725,6 +725,7 @@ def resolve_flowbits(rulemap, disabled_rules):
                     "Enabling previously disabled rule for flowbits: %s" % (
                         rule.brief()))
             rule.enabled = True
+            rule.noalert = True
             flowbit_enabled.add(rule)
     logger.info("Enabled %d rules for flowbit dependencies." % (
         len(flowbit_enabled)))
diff --git a/suricata/update/rule.py b/suricata/update/rule.py
index 95d81a4..25e3b0a 100644
--- a/suricata/update/rule.py
+++ b/suricata/update/rule.py
@@ -146,6 +146,8 @@ class Rule(dict):
         return self.format()
 
     def format(self):
+        if self.noalert and not "noalert;" in self.raw:
+            self.raw = re.sub(r'( *sid\: *[0-9]+\;)', r' noalert;\1', self.raw)
         return u"%s%s" % (u"" if self.enabled else u"# ", self.raw)
 
 def find_opt_end(options):