Jason Ish [Wed, 8 Apr 2020 17:38:17 +0000 (11:38 -0600)]
modify filters: better error on badly formatted filter
Instead of exiting with an uncaught exception on a badly formatted
modify filter, convert the exception to an ApplicationError that
will be logged, along with the line that is badly formatted.
Vagisha Gupta [Thu, 17 Oct 2019 06:46:50 +0000 (12:16 +0530)]
Separate out matchers
Currently, all the code for matchers happens to be in main.py
which makes it quite cluttered. A separate `matchers.py` module
is created which contains all the code for matching rules and
integrated with main.py. Also the modules `test_main.py` and
`test_matchers.py` are modified accordingly.
Currently, lot of names of a module are imported from a package by
writing multiple import statements in main.py. Instead, Python's
standard grouping mechanism (parentheses) is used to write the import
statement to make them compact.
Vagisha Gupta [Fri, 15 Mar 2019 12:57:46 +0000 (18:27 +0530)]
Cleanup unused import and use isinstance() instead of type()
Optimization Cleanup main imports
`import types` is an unused import in main.py, therefore, removed.
Also, using `isinstance()` is the preferred way to access the type.
The isinstance() function checks if the object (first argument)
is an instance or subclass of classinfo class (second argument).
Here object is the 'url' to be checked and classinfo is a string
type.
Shivani Bhardwaj [Mon, 25 Feb 2019 10:29:54 +0000 (15:59 +0530)]
Fix failure in case of missing index.yaml, cleanup
If the index.yaml was not present in data directory, update-sources
command would fail with an IOError. Fix this by handling this case. Now,
if sources are updated on a new data directory, there is an info message
"Adding all sources in the log".
Modularize the current structure to make it more readable and perform
one thing per function. Sort the imports and clean them.
`suricata-update` when used with its option `update-sources` did not
give any information about what changed and in which source. Add the
logs for any change in the sources, namely, addition, removal or change
in the content.
The log output now looks like:
```
$ ./bin/suricata-update update-sources
31/10/2018 -- 00:03:52 - <Info> -- Loading /etc/suricata/update.yaml
31/10/2018 -- 00:03:52 - <Info> -- Using data-directory /var/lib/suricata.
31/10/2018 -- 00:03:52 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
31/10/2018 -- 00:03:52 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
31/10/2018 -- 00:03:52 - <Info> -- Found Suricata version 4.1.0-dev at /usr/sbin/suricata.
31/10/2018 -- 00:03:52 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
31/10/2018 -- 00:03:53 - <Info> -- Source et/open was added
31/10/2018 -- 00:03:53 - <Info> -- Source empty/something was removed
31/10/2018 -- 00:03:53 - <Info> -- Source et/pro was changed
31/10/2018 -- 00:03:53 - <Info> -- Saved /var/lib/suricata/update/cache/index.yaml
```
Jason Ish [Fri, 11 Oct 2019 16:52:27 +0000 (10:52 -0600)]
Copy environment before modify when running Suricata.
Related issue:
https://redmine.openinfosecfoundation.org/issues/2669
LD_LIBRARY_PATH wasn't being passed through to the environment
used to run Suricata. Fix this by copying the parent
environment than adding the vars that we need instead of
using a clean environment.
Jason Ish [Wed, 2 Oct 2019 20:43:12 +0000 (14:43 -0600)]
Disable ja3_hash rules if Suricata not configured for ja3.
Disable rules using ja3 keywords if Suricata is not configure
for ja3, or does not support ja3.
Rules using ja3 keywords with fail to load if Suricata is not
built with NSS, or ja3 fingerprints are disabled.
Take into account the Suricata version as well, as not defining
the ja3_fingerprint configuration field in 5.0+ will leave it
enabled, but in older versions, it will remain disabled if
not defined.
Added a `--no-checksum` option to the add-source command and an optional
"checksum" in SourceConfiguration class for add-sources and
enabled-sources.
Also, a check is added to skip downloading the checksum URL if the
source is configured with checksum false.
Vagisha Gupta [Mon, 10 Jun 2019 19:33:09 +0000 (01:03 +0530)]
Redo variable and function names reserved for Python
Changed the conflicting variable name `filter` and function name
`filter()` accordingly which suricata-update uses as it is reserved
for use in Python standard modules.
Vagisha Gupta [Mon, 5 Aug 2019 09:05:55 +0000 (14:35 +0530)]
Separate log messages to stderr and stdout
Currently, all the messages in suricata-update are logged to stderr.
Changes are made to split between log messages where regular
output (INFO, DEBUG) goes to stdout whereas ERRORS, WARNINGS and
CRITICAL messages goes to stderr.
Vagisha Gupta [Tue, 28 May 2019 07:20:29 +0000 (12:50 +0530)]
Improve permission warning
Improve permission warning when Suricata-update runs with the wrong user
When suricata-update runs with a non-root user, it gives an ugly traceback.
To avoid those ugly tracebacks, try except block is put around the operation
that are being performed on the file i.e. shutil.copyfile(src, dest) and
exit cleanly with an error in the log.
Also, to avoid ugly tracebacks for permission of suricata.yaml, try-except
is put around where it is accessed and exit cleanly.
Vrinda Narayan [Thu, 28 Mar 2019 12:02:48 +0000 (17:32 +0530)]
Fix TypeError : Failure with missing rule params
Bug #2867 : Failure with missing rule params
If sometimes a rule is not parsed correctly and sid or gid are of
NoneType the program shows a TypeError. While parsing the rule, the sid
can be checked to make sure that sid is not of type None, and if it is,
raise a BadSidError and log it, the rule is not added to the list of
final rules.
Vrinda Narayan [Wed, 13 Mar 2019 09:53:43 +0000 (15:23 +0530)]
Catch Keyboard Interrupt and exit cleanly.
Optimization #2878 https://redmine.openinfosecfoundation.org/issues/2878
Can be done by importing python library signal, and defining a function
signal_handler which will print a message if keyboard interrupt is
detected and exit the program.
Vagisha Gupta [Mon, 3 Jun 2019 08:53:24 +0000 (14:23 +0530)]
Log a warning on duplicate SID
Currently when suricata-update encounters a rule with duplicate SIDs,
it silently uses the one with the higher revision without logging the
warnings.
On duplicate SID, warnings are logged for equal as well as different
revisions.
Thus, changing the parser to load these files in alphabetical order by sorting the filenames before starting to work on them fixes the issue. Now the output generated on running
```
suricata-update -v
```
is
```
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/botcc.rules.
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/ciarmy.rules.
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/compromised.rules.
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/drop.rules.
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/dshield.rules.
24/3/2019 -- 10:34:24 - <Debug> -- Parsing rules/emerging-activex.rules.
```
Rules files are now parsed in sorted order.
Vidushi Agrawal [Fri, 15 Mar 2019 21:56:04 +0000 (03:26 +0530)]
Fix default for the --ignore flag
suricata-update doesn't properly load some sections in update.yaml file.
Example:
Even after setting the following in update.yaml
```
ignore:
- "*deleted.rules"
- "*pop3.rules"
```
```
$ ./bin/suricata-update -v
```
generates
```
16/3/2019 -- 03:14:59 - <Debug> -- Parsing rules/emerging-pop3.rules.
16/3/2019 -- 03:15:01 - <Debug> -- Parsing rules/emerging-deleted.rules.
```
which means the files do not get ignored. It seems that the code loading command line parameters override previous settings even when no parameters are given.
Thus changing the default for the --ignore flag from "[]" to "None", fixes the issue.
Vagisha Gupta [Wed, 13 Mar 2019 14:57:20 +0000 (20:27 +0530)]
Fix Failure with --no-merge
UnboundLocalError: local variable 'rule' referenced before assignment
'suricata-update --no-merge' runs into an error.
'rule.id' is changed to 'key' variable to fix this issue because 'rule' is
not used in the loop. Appended 'key' to the added list i.e. List of rule IDs
that have been added.
Shivani Bhardwaj [Tue, 22 Jan 2019 15:49:37 +0000 (21:19 +0530)]
Add timeout of 30 sec for all GET requests
suricata-update has been reported to get hung in case the download fails
for a particular source. Add a timeout parameter to urllib to avoid that
and continue further processing after a timeout of 30 seconds.
Shivani Bhardwaj [Fri, 22 Feb 2019 12:50:15 +0000 (18:20 +0530)]
Fix null pointer dereference issue detected by coverity
Coverity scan of the current code raised the following issue:
```
>>> CID 327298: Null pointer dereferences (FORWARD_NULL)
>>> Accessing a property of null-like value "val".
271 if val.find("noalert") > -1:
```
Shivani Bhardwaj [Mon, 14 Jan 2019 17:22:49 +0000 (22:52 +0530)]
Avoid failure in case of obsoletion of attribute
`platform` is currently (Py3.7) shipped with `linux_distribution`
attribute but it has been Deprecated since Py3.5. In future when it
becomes obsolete, suricata-update will break while creating User-Agent
header. In order to avoid this, check for the attribute before adding it
to User-Agent.
Shivani Bhardwaj [Fri, 21 Dec 2018 09:14:53 +0000 (14:44 +0530)]
Make header an optional argument
header was being used as a required argument in SourceConfiguration
class. Since SourceConfiguration class has been used multiple times
across commands, not all the commands require header argument and thus
it breaks. Fix it by making header an optional argument.
Shivani Bhardwaj [Tue, 18 Dec 2018 10:31:40 +0000 (16:01 +0530)]
Fix the broken sys import of distutils
Newer distutils versions allow to list and work with `sys` as it is
imported in the `__init__.py` however, the older versions of disutils
does not contain anything other than the version and revision strings.
The current installation procedure relied on the former method which is
only adapted in the new versions so make it compatible to the older
versions by importing `sys` from `distutils.core`.
Jason Ish [Thu, 13 Dec 2018 14:45:14 +0000 (08:45 -0600)]
version: hide git revision if unknown
This happens when suricata-update is installed bundled with
Suricata. This is more a relic from the earlier days
of Suricata-Update when more users were likely to install
it directly from git anyways.
Shivani Bhardwaj [Fri, 23 Nov 2018 14:55:29 +0000 (20:25 +0530)]
Install requirements if using pip
Current setup was using distutils which does not allow to define the
requirements of a package. Check if the installation of
`suricata-update` is being done with `pip` and if it is, install the
requirements while installing the package.
This way distutils will not throw a warning of the `install_requires`
option being unrecognized, however, it would still not install the
requirements.
Now, with the installation of `suricata-update` package, all the
requirements are installed as well if it is installed with `pip`.
projects / thirdparty / suricata-update.git / log
