Loads things that could be modules. Enhancements, alerts and rule type.
(self, rule, args=None)
| 402 | raise EAException('scan_entire_timeframe can only be used if there is a timeframe specified') |
| 403 | |
| 404 | def load_modules(self, rule, args=None): |
| 405 | """ Loads things that could be modules. Enhancements, alerts and rule type. """ |
| 406 | # Set match enhancements |
| 407 | match_enhancements = [] |
| 408 | for enhancement_name in rule.get('match_enhancements', []): |
| 409 | if enhancement_name in dir(enhancements): |
| 410 | enhancement = getattr(enhancements, enhancement_name) |
| 411 | else: |
| 412 | enhancement = get_module(enhancement_name) |
| 413 | if not issubclass(enhancement, enhancements.BaseEnhancement): |
| 414 | raise EAException("Enhancement module %s not a subclass of BaseEnhancement" % enhancement_name) |
| 415 | match_enhancements.append(enhancement(rule)) |
| 416 | rule['match_enhancements'] = match_enhancements |
| 417 | |
| 418 | # Convert rule type into RuleType object |
| 419 | if rule['type'] in self.rules_mapping: |
| 420 | rule['type'] = self.rules_mapping[rule['type']] |
| 421 | else: |
| 422 | rule['type'] = get_module(rule['type']) |
| 423 | if not issubclass(rule['type'], ruletypes.RuleType): |
| 424 | raise EAException('Rule module %s is not a subclass of RuleType' % (rule['type'])) |
| 425 | |
| 426 | # Make sure we have required alert and type options |
| 427 | reqs = rule['type'].required_options |
| 428 | |
| 429 | if reqs - frozenset(list(rule.keys())): |
| 430 | raise EAException('Missing required option(s): %s' % (', '.join(reqs - frozenset(list(rule.keys()))))) |
| 431 | # Instantiate rule |
| 432 | try: |
| 433 | rule['type'] = rule['type'](rule, args) |
| 434 | except (KeyError, EAException) as e: |
| 435 | raise EAException('Error initializing rule %s: %s' % (rule['name'], e)).with_traceback(sys.exc_info()[2]) |
| 436 | # Instantiate alerts only if we're not in debug mode |
| 437 | # In debug mode alerts are not actually sent so don't bother instantiating them |
| 438 | if not args or not args.debug: |
| 439 | rule['alert'] = self.load_alerts(rule, alert_field=rule['alert']) |
| 440 | |
| 441 | def load_alerts(self, rule, alert_field): |
| 442 | def normalize_config(alert): |