Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding methods for rules and decoders #73

Merged
merged 19 commits into from
Sep 6, 2023
Merged

Adding methods for rules and decoders #73

merged 19 commits into from
Sep 6, 2023

Conversation

pro-akim
Copy link
Member

@pro-akim pro-akim commented Jun 30, 2023
edited
Loading

Related Issue
#66

Description

This PR includes new methods for adding and replacing rules and decoders.

Evidences

Running:

  1. wh.change_decoders('manager1', '/home/akim/Desktop/decoder_total.xml')

  2. wh.change_rules('manager1', '/home/akim/Desktop/rules_total.xml')

  3. wh.add_decoder('manager1', '/home/akim/Desktop/decoder.xml', '/var/ossec/etc/decoders/local_decoder.xml')

  4. wh.add_rule('manager1', '/home/akim/Desktop/rule.xml', '/var/ossec/etc/rules/local_rules.xml')

Results:

  1. Changed '/var/ossec/etc/decoders/local_decoder.xml' by '/home/akim/Desktop/decoder.xml' content.

  2. Changed '/var/ossec/etc/rules/local_rules.xml' by '/home/akim/Desktop/rules_total.xml' content.

  3. Adding a decoder from '/home/akim/Desktop/decoder.xml' to '/var/ossec/etc/decoders/local_decoder.xml'

  4. Adding a rule from '/home/akim/Desktop/rule.xml' to '/var/ossec/etc/rules/local_rules.xml'

@pro-akim pro-akim self-assigned this Jun 30, 2023
@pro-akim pro-akim linked an issue Jun 30, 2023 that may be closed by this pull request
Wazuh Handler: Rules and decoders configuration #66
Closed
4 tasks
@roronoasins
Copy link
Contributor

GJ! LGTM

@pro-akim
Copy link
Member Author

pro-akim commented Jul 6, 2023

06/07/2023

Small changes done around format of f'string use

Rebits
Rebits requested changes Jul 11, 2023
View reviewed changes
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
src/wazuh_qa_framework/system/wazuh_handler.py Outdated Show resolved Hide resolved
@pro-akim
Copy link
Member Author

pro-akim commented Jul 12, 2023
edited
Loading

12/07/2023 Update

All changes were done.
Add and Change decoders were changed by create decoders
Same for rules.

Tests:

Evidences

Running:

  1. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_total.xml', '/var/ossec/etc/decoders/local_decoder.xml', overwrite=True)

  2. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_simple.xml', '/var/ossec/etc/decoders/local_decoder.xml', overwrite=False)

  3. wh.create_rule('manager1', '/home/akim/Desktop/rule_total.xml', '/var/ossec/etc/rules/local_rules.xml', overwrite=True)

  4. wh.create_rule('manager1', '/home/akim/Desktop/rule_simple.xml', '/var/ossec/etc/rules/local_rules.xml', overwrite=False)

Results:

  1. /var/ossec/etc/decoders/local_decoder.xml changed by /home/akim/Desktop/decoder_total.xml

  2. /home/akim/Desktop/decoder_simple.xml added to /var/ossec/etc/decoders/local_decoder.xml

  3. /var/ossec/etc/rules/local_rules.xml changed by /home/akim/Desktop/rule_total.xml

  4. /home/akim/Desktop/rule_simple.xml added to /var/ossec/etc/rules/local_rules.xml

@pro-akim pro-akim marked this pull request as draft July 13, 2023 08:55
@pro-akim pro-akim marked this pull request as ready for review July 13, 2023 08:55
@pro-akim
Copy link
Member Author

pro-akim commented Jul 13, 2023
edited
Loading

13/07/2023 Update

The linter is not functioning properly.
Even though line 891 is not present in 72ccf45, the linter is still detecting a whitespace error. Therefore, a new pull request will be submitted for review, even if the linting error persists.

Rebits
Rebits requested changes Jul 27, 2023
View reviewed changes
src/wazuh_qa_framework/system/wazuh_handler.py Outdated
Comment on lines 856 to 872
try:
with open(new_rule_filename, 'r') as file:
new_rules = file.read()
if overwrite:
self.logger.info(message=f'Changing {rules_filename} to {new_rule_filename}')
else:
current_rules = self.get_file_content(host, rules_filename)
index_rule = current_rules.rfind("</rule>")
if index_rule != -1:
new_rules = current_rules[:index_rule] + '</rule>\n' + new_rules + '\n</group>'
self.logger.info(message=f'Adding rule from {new_rule_filename} to {rules_filename}')

self.modify_file_content(host, rules_filename, new_rules)
self.logger.info(message=f'Rules succefully updated')

except FileNotFoundError:
self.logger.error(message=f'The file {new_rule_filename} does not exist.')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The method should create the file if it does not exists.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
@@ -843,3 +843,57 @@ def is_manager(self, host):
bool: True if host is manager
"""
return host in self.get_managers()

def create_rule(self, host, new_rule_filename, rules_filename, overwrite=True):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new_rule_filename is not the filename, it is the filepath. In addition respect the plural for the variables

Suggested change
def create_rule(self, host, new_rule_filename, rules_filename, overwrite=True):
def create_rule(self, host, new_rules_filepath, rules_filename, overwrite=True):

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
Comment on lines 859 to 860
if overwrite:
self.logger.info(message=f'Changing {rules_filename} to {new_rule_filename}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move logger to the start of the method

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the new flow (adding creation of new file), it will make sense to keep it in this position

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
Comment on lines 862 to 866
current_rules = self.get_file_content(host, rules_filename)
index_rule = current_rules.rfind("</rule>")
if index_rule != -1:
new_rules = current_rules[:index_rule] + '</rule>\n' + new_rules + '\n</group>'
self.logger.info(message=f'Adding rule from {new_rule_filename} to {rules_filename}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do this? Why not simply append the new rules at the end of the file?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is because should go inside and follow the previous (preexisting) rule.

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
host (str): Host name.
new_decoder_filename (str): New decoder filepath.
rules_filename (str): Host decoder filename.
overwrite (bool): replace the decoder file True, add decoders to decoders file, False. Defaults to True.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
overwrite (bool): replace the decoder file True, add decoders to decoders file, False. Defaults to True.
overwrite (bool): Replace the decoder file. Defaults to True.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
host (str): Host name.
new_rule_filename (str): New rules filepath.
rules_filename (str): Host rules filename.
overwrite (bool): replace the rules file True, add rules to rules file, False. Defaults to True.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
overwrite (bool): replace the rules file True, add rules to rules file, False. Defaults to True.
overwrite (bool): Replace the rules file. Defaults to True.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
Comment on lines 890 to 896
current_decoders = self.get_file_content(host, decoder_filename)
index_decoder = current_decoders.rfind("</decoder>")
if index_decoder != -1:
new_decoders = current_decoders[:index_decoder] + '</decoder>\n' + new_decoders
self.logger.info(message=f'Adding decoder from {new_decoder_filename} to {decoder_filename}')
self.modify_file_content(host, decoder_filename, new_decoders)
self.logger.info(message=f'Rules succefully updated')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as before

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

src/wazuh_qa_framework/system/wazuh_handler.py Outdated
new_decoders = file.read()

if overwrite:
self.logger.info(message=f'Changing {decoder_filename} to {new_decoder_filename}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as before

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 30e6c21

@pro-akim
Copy link
Member Author

pro-akim commented Aug 1, 2023
edited
Loading

Update

Fixes done after review.
Linting detects multiple spaces after operators in line 900. No multiple spaces were found.

Tests:

Evidences

Running for rules:

  1. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_total.xml', '/var/ossec/etc/decoders/local_decoder.xml', overwrite=True)

  2. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_simple.xml', '/var/ossec/etc/decoders/local_decoder.xml', overwrite=False)

  3. wh.create_rule('manager1', '/home/akim/Desktop/rule_total.xml', '/var/ossec/etc/rules/local_rules.xml', overwrite=True)

  4. wh.create_rule('manager1', '/home/akim/Desktop/rule_simple.xml', '/var/ossec/etc/rules/local_rules.xml', overwrite=False)

  5. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_total.xml', '/var/ossec/etc/decoders/unexisting_local_decoder.xml', overwrite=True)

  6. wh.create_decoder('manager1', '/home/akim/Desktop/decoder_simple.xml', '/var/ossec/etc/decoders/unexisting_local_decoder.xml', overwrite=False)

  7. wh.create_rule('manager1', '/home/akim/Desktop/rule_total.xml', '/var/ossec/etc/rules/unexisting_local_rules.xml', overwrite=True)

  8. wh.create_rule('manager1', '/home/akim/Desktop/rule_simple.xml', '/var/ossec/etc/rules/unexisting_local_ruleslocal_rules.xml', overwrite=False)

Results:

  1. /var/ossec/etc/decoders/local_decoder.xml changed by /home/akim/Desktop/decoder_total.xml

  2. /home/akim/Desktop/decoder_simple.xml added to /var/ossec/etc/decoders/local_decoder.xml

  3. /var/ossec/etc/rules/local_rules.xml changed by /home/akim/Desktop/rule_total.xml

  4. /home/akim/Desktop/rule_simple.xml added to /var/ossec/etc/rules/local_rules.xml

  5. /var/ossec/etc/decoders/unexisting_local_decoder.xm does not exist to be overwritten

  6. Decoderrs succefully added into a new file named /var/ossec/etc/decoders/unexisting_local_decoder.xm

  7. /var/ossec/etc/rules/unexisting_local_ruleslocal_rules.xml does not exist to be overwritten

  8. Rules succefully added into a new rule file named /var/ossec/etc/rules/unexisting_local_ruleslocal_rules.xml

@pro-akim pro-akim requested a review from Rebits August 1, 2023 15:10
@pro-akim pro-akim merged commit aca23ac into system-refactor Sep 6, 2023
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BelenValdivia BelenValdivia BelenValdivia approved these changes

@roronoasins roronoasins Awaiting requested review from roronoasins

@Rebits Rebits Awaiting requested review from Rebits

Assignees

@pro-akim pro-akim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wazuh Handler: Rules and decoders configuration
4 participants
@pro-akim @roronoasins @Rebits @BelenValdivia