rules: insert header elements into Rule object

idstools/rule.py

@@ -67,7 +67,12 @@ class Rule(dict):
       disabled (commented)
     - **action**: The action of the rule (alert, pass, etc) as a
       string
+    - **proto**: The protocol string of the rule.
+    - **source_addr**: The source address string of the rule.
+    - **source_port**: The source ports string of the rule.
     - **direction**: The direction string of the rule.
+    - **dest_addr**: The destination address string of the rule.
+    - **dest_port**: The destination ports string of the rule.
     - **gid**: The gid of the rule as an integer
     - **sid**: The sid of the rule as an integer
     - **rev**: The revision of the rule as an integer
@@ -84,12 +89,16 @@ class Rule(dict):
     :param group: Optional parameter to set the group (filename) of the rule
 
     """
-
     def __init__(self, enabled=None, action=None, group=None):
         dict.__init__(self)
         self["enabled"] = enabled
         self["action"] = action
+        self["proto"] = None
+        self["source_addr"] = None
+        self["source_port"] = None
         self["direction"] = None
+        self["dest_addr"] = None
+        self["dest_port"] = None
         self["group"] = group
         self["gid"] = 1
         self["sid"] = None
@@ -216,7 +225,12 @@ def parse(buf, group=None):
     # If a decoder rule, the header will be one word.
     if len(header.split(" ")) == 1:
         action = header
+        proto = None
+        source_addr = None
+        source_port = None
         direction = None
+        dest_addr = None
+        dest_port = None
     else:
         states = ["action",
                   "proto",
@@ -269,8 +283,13 @@ def parse(buf, group=None):
         return None
 
     rule = Rule(enabled=enabled, action=action, group=group)
-    rule["direction"] = direction
     rule["header"] = header
+    rule["proto"] = proto
+    rule["source_addr"] = source_addr
+    rule["source_port"] = source_port
+    rule["direction"] = direction
+    rule["dest_addr"] = dest_addr
+    rule["dest_port"] = dest_port
 
     options = m.group("options")
 

tests/test_rule.py

@@ -40,7 +40,12 @@ def test_parse1(self):
         rule = idstools.rule.parse("""alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)""")
         self.assertEqual(rule.enabled, True)
         self.assertEqual(rule.action, "alert")
+        self.assertEquals(rule.proto, "tcp")
+        self.assertEquals(rule.source_addr, "$HOME_NET")
+        self.assertEquals(rule.source_port, "any")
         self.assertEqual(rule.direction, "->")
+        self.assertEquals(rule.dest_addr, "$EXTERNAL_NET")
+        self.assertEquals(rule.dest_port, "$HTTP_PORTS")
         self.assertEqual(rule.sid, 2014929)
         self.assertEqual(rule.rev, 1)
         self.assertEqual(rule.msg, "ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip")