MAINHACK

Viewing / Editing File: ignored_rules.py

File is not writable. Editing disabled.

import logging
import re

from defence360agent.contracts.messages import MessageType, Reject
from defence360agent.contracts.plugins import MessageSink, expect
from im360.model.incident import DisabledRule

logger = logging.getLogger(__name__)


class FilterIgnoredRules(MessageSink):

    PROCESSING_ORDER = MessageSink.ProcessingOrder.IGNORE_MESSAGE

    async def create_sink(self, loop):
        self._loop = loop

    @expect(MessageType.SensorAlert, MessageType.SensorIncident)
    async def filter(self, msg):
        # filtering third-party rules known to be high FP
        try:
            if isinstance(msg, MessageType.SensorAlert):
                self._reject_non_i360_modsec_rules(msg)
            self._filter_user_configured(msg)
        except KeyError as e:
            logger.warning("Not enough fields in %s: %s", msg, e)

    def _reject_non_i360_modsec_rules(self, msg):
        if msg['plugin_id'] == 'modsec' and not is_i360_rule(msg['rule']):
            raise Reject('Non Imunify360 modsec rule is ignored')

    def _filter_user_configured(self, msg):
        if DisabledRule.is_rule_ignored(
                msg['plugin_id'], msg['rule'], msg.get('host', None)):
            raise Reject('Rule ignored by user settings')


def is_i360_rule(rule_id):
    """Whether the *rule_id* belongs to Imunify360 modsec ruleset."""
    return re.fullmatch(r"333\d{2}|(?:77|88)\d{6}", rule_id)

Cancel / Back

[ MAINHACK ]

Viewing / Editing File: ignored_rules.py

Server Info

System Features

User Info