jasonish · Dec 12, 2014 · Dec 12, 2014 · Dec 12, 2014 · Dec 12, 2014
Showing with 24 additions and 9 deletions.

+10 −0 README.rst

+1 −1 idstools/__init__.py

+12 −8 idstools/rule.py

+1 −0 tests/test_rule.py
diff --git a/README.rst b/README.rst
@@ -54,6 +54,16 @@ Further documentation is located at http://idstools.readthedocs.org.
 Changelog
 ---------
 
+0.4.3
+~~~~~
+
+- Make the rule direction an accessible field of the rule object.
+
+0.4.2
+~~~~~
+
+- Fix issue loading signature map files (GitHub issue #2).
+
 0.4.1
 ~~~~~
 

diff --git a/idstools/__init__.py b/idstools/__init__.py
@@ -1 +1 @@
-version = "0.4.2"
+version = "0.4.3"
diff --git a/idstools/rule.py b/idstools/rule.py
@@ -49,15 +49,15 @@
 # Compiled regular expression to detect a rule and break out some of
 # its parts.
 rule_pattern = re.compile(
-    r"^(?P<enabled>#)*\s*"	# Enabled/disabled
+    r"^(?P<enabled>#)*\s*"      # Enabled/disabled
     r"(?P<raw>"
-    r"(?P<action>%s)\s*"	# Action
-    r"[^\s]*\s*"		# Protocol
-    r"[^\s]*\s*"		# Source address(es)
-    r"[^\s]*\s*"		# Source port
-    r"[-><]+\s*"		# Direction
-    r"[^\s]*\s*"		# Destination address(es)
-    r"[^\s]*\s*" 		# Destination port
+    r"(?P<action>%s)\s*"        # Action
+    r"[^\s]*\s*"                # Protocol
+    r"[^\s]*\s*"                # Source address(es)
+    r"[^\s]*\s*"                # Source port
+    r"(?P<direction>[-><]+)\s*"	# Direction
+    r"[^\s]*\s*"		        # Destination address(es)
+    r"[^\s]*\s*"                # Destination port
     r"\((?P<options>.*)\)\s*" 	# Options
     r")"
     % "|".join(actions))
@@ -99,6 +99,8 @@ class Rule(dict):
     - **action**: The action of the rule (alert, pass, etc) as a
         string
 
+    - **direction**: The direction string of the rule.
+
     - **gid**: The gid of the rule as an integer
 
     - **sid**: The sid of the rule as an integer
@@ -127,6 +129,7 @@ def __init__(self, enabled=None, action=None):
         dict.__init__(self)
         self["enabled"] = enabled
         self["action"] = action
+        self["direction"] = None
         self["gid"] = 1
         self["sid"] = None
         self["rev"] = None
@@ -183,6 +186,7 @@ def parse(buf):
     rule = Rule(enabled=True if m.group("enabled") is None else False,
                 action=m.group("action"))
 
+    rule["direction"] = m.group("direction")
     options = m.group("options")
     for p in option_patterns:
         for opt, val in p.findall(options):

diff --git a/tests/test_rule.py b/tests/test_rule.py
@@ -40,6 +40,7 @@ def test_parse1(self):
         rule = idstools.rule.parse("""alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)""")
         self.assertEqual(rule.enabled, True)
         self.assertEqual(rule.action, "alert")
+        self.assertEqual(rule.direction, "->")
         self.assertEqual(rule.sid, 2014929)
         self.assertEqual(rule.rev, 1)
         self.assertEqual(rule.msg, "ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip")