Skip to content

Commit

Permalink
#124 fix searchquery value on import during normalization step
Browse files Browse the repository at this point in the history
  • Loading branch information
@VincentD06
VincentD06 committed Jun 28, 2024
1 parent cf0443e commit f837390
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 36 deletions.
38 changes: 17 additions & 21 deletions src/web/wizard/logic/RulesImportExport.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,22 @@ function normalizeConditionParameters(condition_parameters, rule_name) {
return result;
}

function normalizeSearchQueryParameters(alertRule, condition_parameters) {
let result = { ...condition_parameters };
if (!result.search_query) {
result.search_query = '*';
}

if (['THEN', 'AND', 'OR'].includes(alertRule.condition_type) && !result.additional_search_query) {
result.additional_search_query = '*';
}

return result;
}

function normalizeImportedRule(rule) {
let condition_parameters = normalizeConditionParameters(rule.condition_parameters, rule.title);
condition_parameters = normalizeSearchQueryParameters(rule, condition_parameters);
let severity = rule.notification_parameters.severity;
return { ...rule, severity, condition_parameters };
}
Expand All @@ -59,33 +73,15 @@ export default {
normalizeImportedRules(exportData) {
if (exportData.version === undefined) {
return exportData.map(normalizeImportedRule);
} else {
return exportData.rules.map(normalizeImportedRule);
}
return exportData.rules;
},

createExportDataFromRules(rules) {
return {
version: '1.0.0',
version: '1.0.1',
rules: rules
}
},

fixMissingParameters(alertRule) {
if (['COUNT', 'GROUP_DISTINCT', 'STATISTICAL'].includes(alertRule.condition_type)) {
if (!alertRule.condition_parameters.search_query) {
alertRule.condition_parameters.search_query = '*';
}
}

if (['THEN', 'AND', 'OR'].includes(alertRule.condition_type)) {
if (!alertRule.condition_parameters.search_query) {
alertRule.condition_parameters.search_query = '*';
}

if (!alertRule.condition_parameters.additional_search_query) {
alertRule.condition_parameters.additional_search_query = '*';
}
}
return alertRule
}
}
20 changes: 10 additions & 10 deletions src/web/wizard/logic/RulesImportExport.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -380,7 +380,7 @@ describe('RulesImport.normalizeImportedRules', () => {
});

it('should fix search_query for STATISTICAL rules', () => {
const rule = {
const rule = [{
'notification_parameters': {
'severity': 'INFO',
'log_body': 'type: alert\nid: ${logging_alert.id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${event_definition_title}\nbody: ${event_definition_description}\n${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}\nsrc_category: ${backlog[0].fields.src_category}\ndest: ${backlog[0].fields.dest_ip}\ndest_category: ${backlog[0].fields.dest_category}\n${end}',
Expand All @@ -406,14 +406,14 @@ describe('RulesImport.normalizeImportedRules', () => {
'description': null,
'condition_type': 'STATISTICAL',
'second_stream': {'matching_type': '', 'field_rule': [], 'id': ''}
};
const result = RulesImportExport.fixMissingParameters(rule);
expect(result.condition_parameters.search_query).toBe('*');
expect(result.condition_parameters.additional_search_query).toBe(undefined);
}];
const result = RulesImportExport.normalizeImportedRules(rule);
expect(result[0].condition_parameters.search_query).toBe('*');
expect(result[0].condition_parameters.additional_search_query).toBe(undefined);
});

it('should fix search_query and additional_search_query for AND rules', () => {
const rule = {
const rule = [{
'notification_parameters': {
'severity': 'INFO',
'log_body': 'type: alert\nid: ${logging_alert.id}\nseverity: ${logging_alert.severity}\napp: graylog\nsubject: ${event_definition_title}\nbody: ${event_definition_description}\n${if backlog && backlog[0]} src: ${backlog[0].fields.src_ip}\nsrc_category: ${backlog[0].fields.src_category}\ndest: ${backlog[0].fields.dest_ip}\ndest_category: ${backlog[0].fields.dest_category}\n${end}',
Expand Down Expand Up @@ -443,9 +443,9 @@ describe('RulesImport.normalizeImportedRules', () => {
'field_rule': [{'field': 'a', 'type': 1, 'value': 'a', 'id': '62e7ae768a47ae63221aad49'}],
'id': '62e7ae768a47ae63221aad47'
}
};
const result = RulesImportExport.fixMissingParameters(rule);
expect(result.condition_parameters.search_query).toBe('*');
expect(result.condition_parameters.additional_search_query).toBe('*');
}];
const result = RulesImportExport.normalizeImportedRules(rule);
expect(result[0].condition_parameters.search_query).toBe('*');
expect(result[0].condition_parameters.additional_search_query).toBe('*');
});
});
9 changes: 4 additions & 5 deletions src/web/wizard/pages/ImportAlertPage.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,18 +79,17 @@ const ImportAlertPage = createReactClass({
// TODO should try to add a non-regression test for this quite involved import code
// import a rule which has notification with a split fields and check the split fields are present in the system
// => set up selenium tests ? :(
const fixedRule = RulesImportExport.fixMissingParameters(rule)
await AlertRuleActions.create(fixedRule);
await AlertRuleActions.create(rule);
// TODO should not need to perform this get: create should return the information of the alert
const alert = await AlertRuleActions.get(fixedRule.title);
const alert = await AlertRuleActions.get(rule.title);
const notification = {
'config': {
...fixedRule.notification_parameters,
...rule.notification_parameters,
'type': 'logging-alert-notification'
},
'description': '',
'id': alert.notification,
'title': fixedRule.title
'title': rule.title
}
EventNotificationsActions.update(alert.notification, notification);
}
Expand Down

0 comments on commit f837390

Please sign in to comment.