def process_ruleset()

in ingest_suricata_rules/rules_processor.py [0:0]

• 33 lines of code
• 20 McCabe index (conditional complexity)

def process_ruleset(ruleset):
    
    dropped_rules = []

    # https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
    # The following Suricata features are not supported by Network Firewall: (as of May 2021)
    # ------------------------------------------------------------------------------------
    #
    # 
    # IP reputation. The iprep keyword is not allowed. 
    # Lua scripting.
    # GeoIP.
    # File extraction. File keywords aren't allowed.
    # ENIP/CIP keywords.
    # Datasets. The keywords dataset and datarep aren't allowed.
    # Rules actions except for pass, drop, and alert. Pass, drop, and alert are supported.
    
    for rule in ruleset:

        # Rules actions except for pass, drop, and alert. Pass, drop, and alert are supported
        if rule.action not in ["alert", "drop" , "pass"]:
            rule.enabled = False
            dropped_rules.append(rule)
            continue
        
        # IP reputation. The iprep keyword is not allowed.  -- drop rules with iprep keyword
        if len(rule.get_option("iprep")) > 0:
            rule.enabled = False
            dropped_rules.append(rule)
            continue
        # Lua scripting.  -- drop rules with luajit keyword
        if len(rule.get_option("luajit")) > 0 or len(rule.get_option("lua")) > 0 :
            rule.enabled = False
            dropped_rules.append(rule)
            continue
        # GeoIP - TBD yet to find the keyword
        
        # File extraction. File keywords aren't allowed.
        if len(rule.get_option("filename")) > 0 or len(rule.get_option("fileext")) or len(rule.get_option("filemagic")) or len(rule.get_option("filestore")) or len(rule.get_option("filemd5")) or len(rule.get_option("filesha1")) or len(rule.get_option("filesha256")) or len(rule.get_option("filesize")) :
            rule.enabled = False
            dropped_rules.append(rule)
            continue

        # ENIP/CIP keywords.  -- drop rules with enip_command,cip_service keyword
        if len(rule.get_option("enip_command")) > 0 or len(rule.get_option("cip_service")) > 0 :
            rule.enabled = False
            dropped_rules.append(rule)
            continue
        
        # Datasets. The keywords dataset and datarep aren't allowed..  -- drop rules with enip_command,cip_service keyword
        if len(rule.get_option("dataset")) > 0 or len(rule.get_option("datarep")) > 0 :
            rule.enabled = False
            dropped_rules.append(rule)
            continue
        
        # Rule files with flowbits:isset are failing if the same file does not contain rules flowbits:set statements the flowbits:isset refers to
        # Dropping rules with flowbits:isset to process more rules until we find a permanent alternative
        
        if "flowbits:isset" in str(rule):
            rule.enabled = False
            dropped_rules.append(rule)
            continue

    
    valid_rules = [ rule for rule in ruleset if rule.enabled == True ]

    return valid_rules, dropped_rules