Suricata Rules (#1102)

Co-authored-by: Thomas Chopitea <[email protected]>
yeti-platform · Jul 8, 2024 · 51cbf22 · 51cbf22
1 parent aab28b5
commit 51cbf22
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 4 deletions.
diff --git a/core/schemas/indicator.py b/core/schemas/indicator.py
@@ -8,6 +8,7 @@
 import yaml
 from artifacts import definitions, reader, writer
 from artifacts import errors as artifacts_errors
+from idstools import rule
 from pydantic import BaseModel, Field, PrivateAttr, computed_field, field_validator
 
 from core import database_arango
@@ -29,6 +30,7 @@ class IndicatorType(str, Enum):
     yara = "yara"
     sigma = "sigma"
     query = "query"
+    suricata = "suricata"
     forensicartifact = "forensicartifact"
 
 
@@ -148,6 +150,34 @@ def match(self, value: str) -> IndicatorMatch | None:
         raise NotImplementedError
 
 
+class Suricata(Indicator):
+    """Represents a Suricata rule.
+
+    Parsing and matching is yet TODO.
+    """
+
+    _type_filter: ClassVar[str] = IndicatorType.suricata
+    type: Literal["suricata"] = IndicatorType.suricata
+
+    def match(self, value: str) -> IndicatorMatch | None:
+        raise NotImplementedError
+
+    @field_validator("pattern")
+    @classmethod
+    def validate_rules(cls, value) -> str:
+        try:
+            rule.parse(value)
+        except Exception as e:
+            raise ValueError(f"invalid {cls.pattern} {e}")
+        return value
+
+    def parse(self) -> rule.Rule | None:
+        try:
+            return rule.parse(self.pattern)
+        except Exception as e:
+            logging.error(f" Error parsing {self.pattern} {e}")
+
+
 class Sigma(Indicator):
     """Represents a Sigma rule.
 
@@ -329,15 +359,22 @@ def save_indicators(self, create_links: bool = False):
     "regex": Regex,
     "yara": Yara,
     "sigma": Sigma,
+    "suricata": Suricata,
     "query": Query,
     "forensicartifact": ForensicArtifact,
     "indicator": Indicator,
     "indicators": Indicator,
 }
 
 IndicatorTypes = Annotated[
-    Union[Regex, Yara, Sigma, Query, ForensicArtifact], Field(discriminator="type")
+    Union[Regex, Yara, Suricata, Sigma, Query, ForensicArtifact],
+    Field(discriminator="type"),
 ]
 IndicatorClasses = (
-    Type[Regex] | Type[Yara] | Type[Sigma] | Type[Query] | Type[ForensicArtifact]
+    Type[Regex]
+    | Type[Yara]
+    | Type[Suricata]
+    | Type[Sigma]
+    | Type[Query]
+    | Type[ForensicArtifact]
 )
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -25,6 +25,7 @@ itsdangerous = "^2.1.2"
 pyyaml = "^6.0.1"
 parameterized = "^0.9.0"
 yara-python = "^4.5.0"
+idstools = "^0.6.5"
 
 [tool.poetry.group.dev.dependencies]
 pylint = "^2.16.1"