add processing warning tests

fkie-cad · Aug 16, 2024 · 9404ade · 9404ade
1 parent ce7d1e5
commit 9404ade
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 6 deletions.
diff --git a/logprep/abc/processor.py b/logprep/abc/processor.py
@@ -324,6 +324,9 @@ def _handle_warning_error(self, event, rule, error, failure_tags=None):
         else:
             add_and_overwrite(event, "tags", sorted(list({*tags, *failure_tags})))
         if isinstance(error, ProcessingWarning):
+            if error.tags:
+                tags = tags if tags else []
+                add_and_overwrite(event, "tags", sorted(list({*error.tags, *tags, *failure_tags})))
             self.result.warnings.append(error)
         else:
             self.result.warnings.append(ProcessingWarning(str(error), rule, event))

diff --git a/logprep/processor/base/exceptions.py b/logprep/processor/base/exceptions.py
@@ -71,7 +71,8 @@ def __init__(self, message: str, rule: "Rule", event: dict):
 class ProcessingWarning(Warning):
     """A warning occurred - log the warning, but continue processing the event."""
 
-    def __init__(self, message: str, rule: "Rule", event: dict):
+    def __init__(self, message: str, rule: "Rule", event: dict, tags: List[str] = None):
+        self.tags = tags if tags else []
         rule.metrics.number_of_warnings += 1
         message = f"{message}, {rule.id=}, {rule.description=}, {event=}"
         super().__init__(f"{self.__class__.__name__}: {message}")

diff --git a/logprep/processor/pre_detector/processor.py b/logprep/processor/pre_detector/processor.py
@@ -99,12 +99,19 @@ def normalize_timestamp(self, rule: PreDetectorRule, timestamp: str) -> str:
             parsed_datetime = TimeParser.parse_datetime(
                 timestamp, rule.source_format, rule.source_timezone
             )
-        except TimeParserException:
-            self.result.warnings.append(
-                ProcessingWarning(str("Could not parse timestamp"), rule, self.result.event)
+            return (
+                parsed_datetime.astimezone(rule.target_timezone).isoformat().replace("+00:00", "Z")
             )
-
-        return parsed_datetime.astimezone(rule.target_timezone).isoformat().replace("+00:00", "Z")
+        except TimeParserException as error:
+            error_message = "Could not parse timestamp"
+            raise (
+                ProcessingWarning(
+                    error_message,
+                    rule,
+                    self.result.event,
+                    tags=["_pre_detector_timeparsing_failure"],
+                )
+            ) from error
 
     def _apply_rules(self, event: dict, rule: PreDetectorRule):
         if not (

diff --git a/logprep/processor/pre_detector/rule.py b/logprep/processor/pre_detector/rule.py
@@ -138,6 +138,7 @@ class PreDetectorRule(Rule):
         "source_timezone",
         "target_timezone",
         "timestamp_field",
+        "failure_tags",
     }
 
     @define(kw_only=True)
@@ -182,6 +183,9 @@ class Config(Rule.Config):  # pylint: disable=too-many-instance-attributes
             validator=[validators.instance_of(ZoneInfo)], converter=ZoneInfo, default="UTC"
         )
         """ timezone for target_field defaults to :code:`UTC`"""
+        failure_tags: list = field(
+            validator=validators.instance_of(list), default=["pre_detector_failure"]
+        )
 
     def __eq__(self, other: "PreDetectorRule") -> bool:
         return all(

diff --git a/tests/unit/processor/pre_detector/test_pre_detector.py b/tests/unit/processor/pre_detector/test_pre_detector.py
@@ -439,3 +439,29 @@ def test_custom_timestamp_field_can_be_used(self):
         assert (
             detection_results.data[0][0].get("@timestamp") is None
         ), "should not be in detection data"
+
+    def test_appends_processing_warning_if_timestamp_could_not_be_parsed(self):
+        rule = {
+            "filter": "*",
+            "pre_detector": {
+                "id": "ac1f47e4-9f6f-4cd4-8738-795df8bd5d4f",
+                "title": "RULE_ONE",
+                "severity": "critical",
+                "mitre": ["attack.test1", "attack.test2"],
+                "case_condition": "directly",
+            },
+            "description": "Test rule one",
+        }
+        document = {
+            "@timestamp": "this is not a timestamp",
+        }
+        self._load_specific_rule(rule)
+        detection_results = self.object.process(document)
+        assert detection_results.warnings
+        assert len(detection_results.warnings) == 1
+        assert "Could not parse timestamp" in str(detection_results.warnings[0])
+        assert document, "should not be cleared"
+        assert document.get("@timestamp") == "this is not a timestamp", "should not be modified"
+        assert "tags" in document
+        assert "_pre_detector_failure" in document["tags"]
+        assert "_pre_detector_timeparsing_failure" in document["tags"]