in ingest_suricata_rules/convert_ids_ips.py [0:0]
def lambda_handler(event, context):
bucket = event['Records'][0]['s3']['bucket']['name']
key = event['Records'][0]['s3']['object']['key']
suricata_rules_filename = key.split('/')[-1].split('.')[0].replace('_','-')
s3.download_file(bucket, key, '/tmp/'+suricata_rules_filename)
content=parse_file('/tmp/'+suricata_rules_filename)
print("Converting Suricata Rules file from IDS to IPS ruleset: s3://"+bucket+"/"+key)
ruleset = [ rule for rule in content if rule.enabled == True ]
rule_count = len(ruleset)
if rule_count == 0 :
print("SKIPPING RULE FILE: No Valid Rules found that can be applied to ANF for file :", suricata_rules_filename)
save_rulesets(ruleset,bucket,suricata_rules_filename,'EMPTY')
exit()
ips_ruleset = convert_ids_ips(ruleset)
# Roundup to nearest hundred with 30% buffer
RuleGroupCapacity = int(math.ceil((len(ips_ruleset) * 1.3) / 100.0)) * 100
# Create/Update RuleGroup per each ruleset chunk
RuleGroupName="ips-suricata-"+suricata_rules_filename
RulesString = "\n".join([ str(rule) for rule in ips_ruleset ])
if check_rule_group_exists(RuleGroupName):
RuleGroup=get_rule_group(RuleGroupName)
UpdateToken=RuleGroup["UpdateToken"]
print("Attempting Update RuleGroup: "+RuleGroupName+ " with " + str(len(ips_ruleset)) + " rules" )
try:
response = anf.update_rule_group(
RuleGroupName=RuleGroupName,
Type=RuleGroupType,
Rules=RulesString,
UpdateToken=RuleGroup["UpdateToken"]
)
print(response)
save_rulesets(ips_ruleset,bucket,RuleGroupName,'APPLIED')
except Exception as err:
save_rulesets(ips_ruleset,bucket,RuleGroupName,'ERROR')
raise err
else:
print("Attempting Create RuleGroup: "+RuleGroupName+ " with " + str(len(ips_ruleset)) + " rules" )
try:
response = anf.create_rule_group(
RuleGroupName=RuleGroupName,
Type=RuleGroupType,
Rules=RulesString,
Capacity=RuleGroupCapacity
)
print(response)
save_rulesets(ips_ruleset,bucket,RuleGroupName,'APPLIED')
except Exception as err:
save_rulesets(ips_ruleset,bucket,RuleGroupName,'ERROR')
raise err