-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sieve Filter expert #1083
Sieve Filter expert #1083
Changes from 22 commits
24ab6ca
6e6465d
0e43dd8
a187b3f
9eb33c6
54c05d0
e3eaa46
d06b197
873a9fb
8446988
fda9cad
99b6cc2
6b2759f
706819f
f5cc29c
3f48d8f
40dda0d
76bc0dd
b73c48f
8f1881c
17c0d4d
1176a85
cda7c7d
3095d34
61b4d0c
6d7bca0
ea03ee2
8276b5e
6d50608
1b148d5
3701bda
f590a95
b46b642
e385bfa
2d5ac01
764015b
7ddce57
e878cc9
e2f6a8c
342b483
7ee859b
1419da5
c8f6134
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
*.dot | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. because they might have used graphviz :) Anyway, yes. Not needed here. |
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,166 @@ | ||
# Sieve Bot | ||
|
||
The sieve bot is used to filter and/or modify events based on a set of rules. The | ||
rules are specified in an external configuration file and with a syntax similar | ||
to the [Sieve language](http://sieve.info/) used for mail filtering. | ||
|
||
Each rule defines a set of matching conditions on received events. Events can be | ||
matched based on keys and values in the event. If the processed event matches a | ||
rule's conditions, the corresponding actions are performed. Actions can specify | ||
whether the event should be kept or dropped in the pipeline (filtering actions) | ||
or if keys and values should be changed (modification actions). | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would it be possible to specify a specific outgoing pipeline as an action? Example:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is not supported by the core. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In our instance, we are already (ab)using a newly introduced key called This can be generalized by introducing a new key, e.g. If a routing model was provided in the core, we would certainly have use-cases for it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wonder why no issue existed for this which and created #1088 for it |
||
|
||
## Examples | ||
|
||
The following excerpts illustrate some of the basic features of the sieve file | ||
format: | ||
|
||
``` | ||
if :exists source.fqdn { | ||
keep // aborts processing of subsequent rules and forwards the event. | ||
} | ||
|
||
|
||
if :notexists source.abuse_contact || source.abuse_contact =~ '.*@example.com' { | ||
drop // aborts processing of subsequent rules and drops the event. | ||
} | ||
|
||
if source.ip << 192.0.0.0/24 { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The validator says for this line:
And why is there an additional There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. according to the docs below, IP addresses must be quoted. |
||
add! comment = 'bogon' | ||
} | ||
|
||
if classification.type == ['phishing', 'malware'] && source.fqdn =~ '.*\.(ch|li)$' { | ||
add! comment = 'domainabuse' | ||
keep | ||
} elsif classification.type == 'scanner' { | ||
add! comment = 'ignore' | ||
drop | ||
} else { | ||
remove comment | ||
} | ||
``` | ||
|
||
|
||
## Parameters | ||
|
||
The sieve bot only takes one parameter: | ||
* `file` - filesystem path the the sieve file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. grammar: file system path of the sieve file |
||
|
||
|
||
## Reference | ||
|
||
### Sieve File Structure | ||
|
||
The sieve file contains an arbitrary number of rules of the form: | ||
|
||
``` | ||
if EXPRESSION { | ||
ACTIONS | ||
} elif EXPRESSION { | ||
ACTIONS | ||
} else { | ||
ACTIONS | ||
} | ||
``` | ||
|
||
|
||
### Expressions | ||
|
||
Each rule specifies on or more expressions to match an event based on its keys | ||
and values. Event keys are specified as strings without quotes. String values | ||
must be enclosed in single quotes. Numeric values can be specified as integers | ||
or floats and are unquoted. IP addresses and network ranges (IPv4 and IPv6) are | ||
specified with quotes. Following operators may be used to match events: | ||
|
||
* `:exists` and `:notexists` match if a given key exists, for example: | ||
|
||
```if :exists source.fqdn { ... }``` | ||
|
||
* `==` and `!=` match for equality of strings and numbers, for example: | ||
|
||
```if feed.name != 'acme-security' || feed.accuracy == 100 { ... }``` | ||
|
||
* `:contains` matches on substrings. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wish list: if we have contains, out of reasons of symmetry , may we have |
||
|
||
* `=~` matches strings based on the given regex. `!~` is the inverse regex | ||
match. | ||
|
||
* Numerical comparisons are evaluated with `<`, `<=`, `>`, `>=`. | ||
|
||
* `<<` matches if an IP address is contained in the specified network range: | ||
|
||
```if source.ip << '10.0.0.0/8' { ... }``` | ||
|
||
* Values to match against can also be specified as list, in which case any one | ||
of the values will result in a match: | ||
|
||
```if source.ip == ['8.8.8.8', '8.8.4.4'] { ... }``` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This could be problematic if we, one day, support lists for data fields. We currently support dictionaries (extra, and in the future possibly some others too) and lists would fit perfectly for e.g @aaronkaplan what's your opinion on this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Problem is: every operator, not just There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. may we change the grammar here to |
||
|
||
In this case, the event will match if it contains a key `source.ip` with | ||
either value `8.8.8.8` or `8.8.4.4`. | ||
|
||
|
||
### Actions | ||
|
||
If part of a rule matches the given conditions, the actions enclosed in `{` and | ||
`}` are applied. By default, all events that are matched or not matched by rules | ||
in the sieve file will be forwarded to the next bot in the pipeline, unless the | ||
`drop` action is applied. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a possibility for a default action ? |
||
|
||
* `add` adds a key value pair to the event. This action only applies if the key | ||
is not yet defined in the event. If the key is already defined, the action is | ||
ignored. Example: | ||
|
||
```add comment = 'hello, world'``` | ||
|
||
* `add!` same as above, but will force overwrite the key in the event. | ||
|
||
* `modify` modifies an existing value for a key. Only applies if the key is | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit-picking here: may we rename |
||
already defined. If the key is not defined in the event, this action is ignored. | ||
Example: | ||
|
||
```modify feed.accuary = 50``` | ||
|
||
* `remove` removes a key/value from the event. Action is ignored if the key is | ||
not defined in the event. Example: | ||
|
||
```remove extra.comments``` | ||
|
||
* `keep` marks the event to be forwarded to the next bot in the pipeline | ||
(same as the default behaviour), but in addition the sieve file processing is | ||
interrupted upon reaching this action. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So implicitly here you are saying that the default behaviour without There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, the Without a mention of |
||
|
||
* `drop` marks the event to be dropped. The event will not be forwarded to the | ||
next bot in the pipeline. The sieve file processing is interrupted upon | ||
reaching this action. No other actions may be specified besides the `drop` | ||
action within `{` and `}`. | ||
|
||
|
||
### Comments | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you explain (maybe I missed it and you did) if
|
||
|
||
Comments may be used in the sieve file: all characters after `//` and until the end of the line will be ignored. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wish-list: |
||
|
||
|
||
## Validating a sieve file | ||
|
||
Use the following command to validate your sieve files: | ||
``` | ||
$ python intelmq/bots/experts/sieve/validator.py -h | ||
usage: validator.py [-h] sievefile | ||
|
||
Validates the syntax of sievebot files. | ||
|
||
positional arguments: | ||
sievefile Sieve file | ||
|
||
optional arguments: | ||
-h, --help show this help message and exit | ||
``` | ||
|
||
## Installation | ||
|
||
To use this bot, you need to install the required dependencies: | ||
``` | ||
$ pip install -r REQUIREMENTS.txt | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
textX>=1.5.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please be more verbose, say that the sieve language is used. E.g. 'This bot filters and modifies events based on a sieve-based language.'