Commit 96bcf076 authored by Ad Schellevis's avatar Ad Schellevis

(ids) update search installed rules

parent c8dcaaba
...@@ -46,7 +46,7 @@ if __name__ == '__main__': ...@@ -46,7 +46,7 @@ if __name__ == '__main__':
rc.create() rc.create()
# load parameters, ignore validation here the search method only processes valid input # load parameters, ignore validation here the search method only processes valid input
parameters = {'limit':'0','offset':'0','sort_by':'', 'filter':'', 'filter_fields':''} parameters = {'limit':'0','offset':'0','sort_by':'', 'filter':''}
cmd=None cmd=None
for arg in sys.argv[1:]: for arg in sys.argv[1:]:
if cmd is None: if cmd is None:
...@@ -60,3 +60,5 @@ if __name__ == '__main__': ...@@ -60,3 +60,5 @@ if __name__ == '__main__':
result=rc.search(**parameters) result=rc.search(**parameters)
result['parameters'] = parameters result['parameters'] = parameters
print (json.dumps(result)) print (json.dumps(result))
...@@ -33,6 +33,7 @@ import os ...@@ -33,6 +33,7 @@ import os
import os.path import os.path
import glob import glob
import sqlite3 import sqlite3
import shlex
class RuleCache(object): class RuleCache(object):
""" """
...@@ -42,6 +43,7 @@ class RuleCache(object): ...@@ -42,6 +43,7 @@ class RuleCache(object):
self.rule_source_dir = '/usr/local/etc/suricata/rules/' self.rule_source_dir = '/usr/local/etc/suricata/rules/'
self.cachefile = '%srules.sqlite'%self.rule_source_dir self.cachefile = '%srules.sqlite'%self.rule_source_dir
self._rule_fields = ['sid','msg','classtype','rev','gid','source','enabled'] self._rule_fields = ['sid','msg','classtype','rev','gid','source','enabled']
self._rule_defaults = {'classtype':'##none##'}
def listLocal(self): def listLocal(self):
all_rule_files=[] all_rule_files=[]
...@@ -113,6 +115,9 @@ class RuleCache(object): ...@@ -113,6 +115,9 @@ class RuleCache(object):
for rule_field in self._rule_fields: for rule_field in self._rule_fields:
if rule_field not in record: if rule_field not in record:
if rule_field in self._rule_defaults:
record[rule_field] = self._rule_defaults[rule_field]
else:
record[rule_field] = None record[rule_field] = None
rules.append(record) rules.append(record)
...@@ -123,12 +128,11 @@ class RuleCache(object): ...@@ -123,12 +128,11 @@ class RuleCache(object):
cur.execute('insert into stats (timestamp,files) values (?,?) ',(last_mtime,len(all_rule_files))) cur.execute('insert into stats (timestamp,files) values (?,?) ',(last_mtime,len(all_rule_files)))
db.commit() db.commit()
def search(self, limit, offset, filter, filter_fields, sort_by): def search(self, limit, offset, filter, sort_by):
""" search installed rules """ search installed rules
:param limit: limit number of rows :param limit: limit number of rows
:param offset: limit offset :param offset: limit offset
:param filter: text to search :param filter: text to search, used format fieldname1,fieldname2/searchphrase include % to match on a part
:param filter_fields: list of fields to apply filter
:param sort: order by, list of fields and possible asc/desc parameter :param sort: order by, list of fields and possible asc/desc parameter
:return: dict :return: dict
""" """
...@@ -139,14 +143,27 @@ class RuleCache(object): ...@@ -139,14 +143,27 @@ class RuleCache(object):
# construct query including filters # construct query including filters
sql = 'select * from rules ' sql = 'select * from rules '
sql_filters = {} sql_filters = {}
for field in map(lambda x:x.lower().strip(),filter_fields.split(',')):
if field in self._rule_fields: for filtertag in shlex.split(filter):
fieldnames = filtertag.split('/')[0]
searchcontent = '/'.join(filtertag.split('/')[1:])
if len(sql_filters) > 0: if len(sql_filters) > 0:
sql += ' and ( '
else:
sql += ' where ( '
for fieldname in map(lambda x: x.lower().strip(), fieldnames.split(',')):
if fieldname in self._rule_fields:
if fieldname != fieldnames.split(',')[0].strip():
sql += ' or ' sql += ' or '
if searchcontent.find('%') == -1:
sql += 'cast('+fieldname + " as text) like :"+fieldname+" "
else:
sql += 'cast('+fieldname + " as text) like '%'|| :"+fieldname+" || '%' "
sql_filters[fieldname] = searchcontent.replace('%', '')
else: else:
sql += ' where ' # not a valid fieldname, add a tag to make sure our sql statement is valid
sql += 'cast('+field + " as text) like '%'|| :"+field+" || '%' " sql += ' 1 = 1 '
sql_filters[field] = filter sql += ' ) '
# apply sort order (if any) # apply sort order (if any)
sql_sort =[] sql_sort =[]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment