mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/rule/rule.go

178 lines
4.6 KiB
Go
Raw Permalink Normal View History

misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
package rule
import (
"fmt"
"time"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/conman"
"github.com/evilsocket/opensnitch/daemon/log"
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
)
set default rules directory if empty Use /etc/opensnitchd/rules as the default directory if it has not been provided via configuration.
2024-05-29 23:43:46 +02:00
// DefaultPath directory
const (
DefaultPath = "/etc/opensnitchd/rules"
)
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Action of a rule
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
type Action string
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Actions of rules
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
const (
added action reject When blocking a connection via libnetfilter-queue using NF_DROP the connection is discarded. If the blocked connection is a DNS query, the app that initiated it will wait until it times out, which is ~30s. This behaviour can for example cause slowdowns loading web pages: #481 This change adds the option to reject connections by killing the socket that initiated them. Denying: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Connection timed out real 2m10,039s Rejecting: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Software caused connection abort real 0m0,005s
2021-09-12 10:54:24 +02:00
Allow = Action("allow")
Deny = Action("deny")
Reject = Action("reject")
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
)
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Duration of a rule
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
type Duration string
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// daemon possible durations
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
const (
Once = Duration("once")
Restart = Duration("until restart")
Always = Duration("always")
)
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
// Rule represents an action on a connection.
// The fields match the ones saved as json to disk.
// If a .json rule file is modified on disk, it's reloaded automatically.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
type Rule struct {
fixed loading rules when Created field is a timestamp When exporting rules from the GUI, the Created field was exported as timestamp. Importing rules worked fine, because json.Marshall() accepts the timestamp format. However, when the daemon was loading a rule with the Created field as timestamp, since the field was defined as time.Time, it expected a RFC3339 string (https://pkg.go.dev/time#Time.UnmarshalJSON) so it failed to parse the timestamp and the rule was not loaded. Now the field is defined as string, it's always saved as RFC3339, and if we fail to parse these fields we'll use a temporary date instead of failing loading the rule. More info: https://github.com/evilsocket/opensnitch/issues/1140#issuecomment-2140904847 Closes #1140
2024-06-10 23:54:54 +02:00
// Save date fields as string, to avoid issues marshalling Time (#1140).
Created string `json:"created"`
Updated string `json:"updated"`
Name string `json:"name"`
Description string `json:"description"`
Action Action `json:"action"`
Duration Duration `json:"duration"`
Operator Operator `json:"operator"`
Enabled bool `json:"enabled"`
Precedence bool `json:"precedence"`
Nolog bool `json:"nolog"`
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
// Create creates a new rule object with the specified parameters.
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
func Create(name, description string, enabled, precedence, nolog bool, action Action, duration Duration, op *Operator) *Rule {
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return &Rule{
fixed loading rules when Created field is a timestamp When exporting rules from the GUI, the Created field was exported as timestamp. Importing rules worked fine, because json.Marshall() accepts the timestamp format. However, when the daemon was loading a rule with the Created field as timestamp, since the field was defined as time.Time, it expected a RFC3339 string (https://pkg.go.dev/time#Time.UnmarshalJSON) so it failed to parse the timestamp and the rule was not loaded. Now the field is defined as string, it's always saved as RFC3339, and if we fail to parse these fields we'll use a temporary date instead of failing loading the rule. More info: https://github.com/evilsocket/opensnitch/issues/1140#issuecomment-2140904847 Closes #1140
2024-06-10 23:54:54 +02:00
Created: time.Now().Format(time.RFC3339),
ui, rules: added description field - Added ability to add a description to the rules. - Display the description field on the Rules view, and remove the internal fields (operator, operator_data, etc). - Added DB migrations. - Improved rules' executable path field tooltip (#661). Closes #652 #466
2022-05-12 13:38:23 +02:00
Enabled: enabled,
Precedence: precedence,
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
Nolog: nolog,
ui, rules: added description field - Added ability to add a description to the rules. - Display the description field on the Rules view, and remove the internal fields (operator, operator_data, etc). - Added DB migrations. - Improved rules' executable path field tooltip (#661). Closes #652 #466
2022-05-12 13:38:23 +02:00
Name: name,
Description: description,
Action: action,
Duration: duration,
Operator: *op,
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
}
func (r *Rule) String() string {
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
enabled := "Disabled"
if r.Enabled {
enabled = "Enabled"
}
return fmt.Sprintf("[%s] %s: if(%s){ %s %s }", enabled, r.Name, r.Operator.String(), r.Action, r.Duration)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Match performs on a connection the checks a Rule has, to determine if it
// must be allowed or denied.
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
func (r *Rule) Match(con *conman.Connection, hasChecksums bool) bool {
return r.Operator.Match(con, hasChecksums)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Deserialize translates back the rule received to a Rule object
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
func Deserialize(reply *protocol.Rule) (*Rule, error) {
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
if reply.Operator == nil {
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
log.Warning("Deserialize rule, Operator nil")
return nil, fmt.Errorf("invalid operator")
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
}
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
operator, err := NewOperator(
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
Type(reply.Operator.Type),
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
Sensitive(reply.Operator.Sensitive),
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
Operand(reply.Operator.Operand),
Add a 'list' rule type
2018-11-20 21:21:36 +01:00
reply.Operator.Data,
make([]Operator, 0),
)
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
if err != nil {
added unit tests for process parsing and rules
2020-12-19 19:31:09 +01:00
log.Warning("Deserialize rule, NewOperator() error: %s", err)
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
return nil, err
Do not panic if we can't parse a Regex type rule If for some reason a Regex type rule can not be parsed, opensnitchd panics and exit. We drop regex.MustCompile() in favor of regex.Compile(), and in case of failure we just drop the packet. In either case, the daemon should not panic but it should not received an invalid rule either, specially from the UI. Closes #4
2020-02-14 23:15:14 +01:00
}
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
newRule := Create(
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
reply.Name,
ui, rules: added description field - Added ability to add a description to the rules. - Display the description field on the Rules view, and remove the internal fields (operator, operator_data, etc). - Added DB migrations. - Improved rules' executable path field tooltip (#661). Closes #652 #466
2022-05-12 13:38:23 +02:00
reply.Description,
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
reply.Enabled,
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
reply.Precedence,
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
reply.Nolog,
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
Action(reply.Action),
Duration(reply.Duration),
operator,
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
)
if Type(reply.Operator.Type) == List {
deserialize rules operator list correctly In b93051026e6a82ba07a5ac2f072880e69f04c238 we disabled sending/parsing list operators as JSON strings. Instead, now it's sent/parsed as protobuf Rule, and saved to disk as JSON array, which ease the task of manually creating new rules if needed. This change was missing in the previous commit.
2023-11-11 02:16:08 +01:00
newRule.Operator.Data = ""
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
reply.Operator.Data = ""
for i := 0; i < len(reply.Operator.List); i++ {
newRule.Operator.List = append(
newRule.Operator.List,
Operator{
Type: Type(reply.Operator.List[i].Type),
Sensitive: Sensitive(reply.Operator.List[i].Sensitive),
Operand: Operand(reply.Operator.List[i].Operand),
Data: string(reply.Operator.List[i].Data),
},
)
}
}
return newRule, nil
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
}
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
// Serialize translates a Rule to the protocol object
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
func (r *Rule) Serialize() *protocol.Rule {
increase default timeout to ask for a rule Explained here: https://github.com/gustavo-iniguez-goya/opensnitch/issues/28#issuecomment-637484501
2020-06-04 00:38:11 +02:00
if r == nil {
return nil
}
fixed leak serializing rules' operator mainly when connecting by the first time to the GUI, and at the same time asking to allow/deny a connection.
2023-12-09 19:06:40 +01:00
r.Operator.Lock()
defer r.Operator.Unlock()
fixed loading rules when Created field is a timestamp When exporting rules from the GUI, the Created field was exported as timestamp. Importing rules worked fine, because json.Marshall() accepts the timestamp format. However, when the daemon was loading a rule with the Created field as timestamp, since the field was defined as time.Time, it expected a RFC3339 string (https://pkg.go.dev/time#Time.UnmarshalJSON) so it failed to parse the timestamp and the rule was not loaded. Now the field is defined as string, it's always saved as RFC3339, and if we fail to parse these fields we'll use a temporary date instead of failing loading the rule. More info: https://github.com/evilsocket/opensnitch/issues/1140#issuecomment-2140904847 Closes #1140
2024-06-10 23:54:54 +02:00
created, err := time.Parse(time.RFC3339, r.Created)
if err != nil {
log.Warning("Error parsing rule Created date (it should be in RFC3339 format): %s (%s)", err, string(r.Name))
log.Warning("using current time instead: %s", created)
created = time.Now()
}
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
protoRule := &protocol.Rule{
fixed loading rules when Created field is a timestamp When exporting rules from the GUI, the Created field was exported as timestamp. Importing rules worked fine, because json.Marshall() accepts the timestamp format. However, when the daemon was loading a rule with the Created field as timestamp, since the field was defined as time.Time, it expected a RFC3339 string (https://pkg.go.dev/time#Time.UnmarshalJSON) so it failed to parse the timestamp and the rule was not loaded. Now the field is defined as string, it's always saved as RFC3339, and if we fail to parse these fields we'll use a temporary date instead of failing loading the rule. More info: https://github.com/evilsocket/opensnitch/issues/1140#issuecomment-2140904847 Closes #1140
2024-06-10 23:54:54 +02:00
Created: created.Unix(),
ui, rules: added description field - Added ability to add a description to the rules. - Display the description field on the Rules view, and remove the internal fields (operator, operator_data, etc). - Added DB migrations. - Improved rules' executable path field tooltip (#661). Closes #652 #466
2022-05-12 13:38:23 +02:00
Name: string(r.Name),
Description: string(r.Description),
Enabled: bool(r.Enabled),
Precedence: bool(r.Precedence),
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
Nolog: bool(r.Nolog),
ui, rules: added description field - Added ability to add a description to the rules. - Display the description field on the Rules view, and remove the internal fields (operator, operator_data, etc). - Added DB migrations. - Improved rules' executable path field tooltip (#661). Closes #652 #466
2022-05-12 13:38:23 +02:00
Action: string(r.Action),
Duration: string(r.Duration),
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
Operator: &protocol.Operator{
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
Type: string(r.Operator.Type),
Sensitive: bool(r.Operator.Sensitive),
Operand: string(r.Operator.Operand),
Data: string(r.Operator.Data),
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
},
}
rules: improved operator list parsing and conversion Previously when creating a new rule we followed these steps: - Create a new protobuf Rule object from the ruleseditor or the pop-ups. - If the rule contained more than one operator, we converted the list of operators to a JSON string. - This JSON string was sent back to the daemon, and saved to the DB. - The list of operators were never expanded on the GUI, i.e., they were not saved as a list of protobuf Operator objects. - Once received in the daemon, the JSON string was parsed and converted to a protobuf Operator list of objects. Both, the JSON string and the list of protobuf Operator objects were saved to disk, but the JSON string was ignored when loading the rules. Saving the list of operators as a JSON string was a problem if you wanted to create or modify rules without the GUI. Now when creating or modifying rules from the GUI, the list of operators is no longer converted to JSON string. Instead the list is sent to the daemon as a list of protobuf Operators, and saved as JSON objects. Notes: - The JSON string is no longer saved to disk as part of the rules. - The list of operators is still saved as JSON string to the DB. - About not enabled rules: Previously, not enabled rules only had the list of operators as JSON string, with the field list:[] empty. Now the list of operators is saved as JSON objects, but if the rule is not enabled, it won't be parsed/loaded. Closes #1047
2023-10-09 14:55:15 +02:00
if r.Operator.Type == List {
r.Operator.Data = ""
for i := 0; i < len(r.Operator.List); i++ {
protoRule.Operator.List = append(protoRule.Operator.List,
&protocol.Operator{
Type: string(r.Operator.List[i].Type),
Sensitive: bool(r.Operator.List[i].Sensitive),
Operand: string(r.Operator.List[i].Operand),
Data: string(r.Operator.List[i].Data),
})
}
}
return protoRule
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
}
Reference in a new issue Copy permalink