Dev autoruletester refactoring (#594)

* Refactored: custom tests, presentation overview and dry vios * Small fix in init * Optimized refactoring to delete rule count bug and neglect on wrong rule filter * fixed bug: wrong handling if not the end test for group of tests for certain multirule index fails * tests are now successfull and partially adapted to new logic * Review ppcad done (Part 1) * Processed ppcads review * Added additional example tests for new target_rule_idx enforcing * Changed doc strings where still default * Solved last naming issues stated in review * Rewritten lass color prints, fixed error message to simple print when no target_rule_idx and deleted unused imports * Fixed diff print for each rule * Fixed index out of bounds when printing out problems * Fixed the last fix causing out of bounds and added colored diff * Add missing requirement * Refactor auto rule tester * refactored to linter score 9.81/10 * fixed black * fixed black * fixed black * fixed black * fixed black * fixed black * Improve code quality in auto rule tester --------- Co-authored-by: Piotr Pauksztelo <[email protected]>
fkie-cad · Oct 23, 2024 · 431ab54 · 431ab54
1 parent 53d702f
commit 431ab54
Show file tree

Hide file tree

Showing 12 changed files with 652 additions and 405 deletions.
diff --git a/examples/exampledata/rules/labeler/generic/example_rule.yml b/examples/exampledata/rules/labeler/generic/example_rule.yml
@@ -1,7 +1,6 @@
-filter: "test_label: execute"
+filter: 'winlog.event_data.param2: "stop"'
 labeler:
-  id: labeler-1352bc0a-53ae-4740-bb9e-1e865f63375f
   label:
     action:
-      - execute
+      - terminate
 description: "..."
diff --git a/examples/exampledata/rules/pre_detector/generic/example_rule.yml b/examples/exampledata/rules/pre_detector/generic/example_rule.yml
@@ -1,10 +1,9 @@
-filter: "test_pre_detector"
+filter: 'tags: "1" AND inp.message: "1"'
 pre_detector:
-  id: RULE_ONE_ID
+  id: RULE_ONE_ID_1
   title: RULE_ONE
   severity: critical
   mitre:
     - attack.test1
-    - attack.test2
   case_condition: directly
-description: "..."
+
diff --git a/logprep/abc/processor.py b/logprep/abc/processor.py
@@ -120,7 +120,6 @@ class Config(Component.Config):
 
     __slots__ = [
         "rule_class",
-        "has_custom_tests",
         "_event",
         "_specific_tree",
         "_generic_tree",
@@ -130,7 +129,6 @@ class Config(Component.Config):
     ]
 
     rule_class: "Rule"
-    has_custom_tests: bool
     _event: dict
     _specific_tree: RuleTree
     _generic_tree: RuleTree
@@ -155,7 +153,6 @@ def __init__(self, name: str, configuration: "Processor.Config"):
             generic_rules_targets=self._config.generic_rules,
             specific_rules_targets=self._config.specific_rules,
         )
-        self.has_custom_tests = False
         self.result = None
         self._bypass_rule_tree = False
         if os.environ.get("LOGPREP_BYPASS_RULE_TREE"):

diff --git a/logprep/processor/clusterer/processor.py b/logprep/processor/clusterer/processor.py
@@ -75,7 +75,6 @@ class Config(Processor.Config):
     def __init__(self, name: str, configuration: Processor.Config):
         super().__init__(name=name, configuration=configuration)
         self.sps = SignaturePhaseStreaming()
-        self.has_custom_tests = True
 
         self._last_rule_id = math.inf
         self._last_non_extracted_signature = None