From: Konstantin Klinger Date: Fri, 10 May 2019 04:22:26 +0000 (+0200) Subject: rule: recognise more noalert cases X-Git-Tag: 1.1.0rc1~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f74544370b7a405f1caa5560d186323aa3d608c6;p=thirdparty%2Fsuricata-update.git rule: recognise more noalert cases This commit ensures that rules only tagged with "noalert;" option and not only with "flowbits:noalert;" will get the rule.noalert value set to true. --- diff --git a/suricata/update/rule.py b/suricata/update/rule.py index 25e3b0a..781d8d8 100644 --- a/suricata/update/rule.py +++ b/suricata/update/rule.py @@ -272,6 +272,8 @@ def parse(buf, group=None): rule.flowbits.append(val) if val and val.find("noalert") > -1: rule["noalert"] = True + elif name == "noalert": + rule["noalert"] = True elif name == "reference": rule.references.append(val) elif name == "msg": diff --git a/tests/test_rule.py b/tests/test_rule.py index 3c78803..900b71d 100644 --- a/tests/test_rule.py +++ b/tests/test_rule.py @@ -120,6 +120,10 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \ rule = suricata.update.rule.parse(rule_string) self.assertTrue(rule["noalert"]) + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; noalert; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertTrue(rule["noalert"]) + def test_parse_message_with_semicolon(self): rule_string = u"""alert ip any any -> any any (msg:"TEST RULE\; and some"; content:"uid=0|28|root|29|"; tag:session,5,packets; classtype:bad-unknown; sid:10000000; rev:1;)""" rule = suricata.update.rule.parse(rule_string)