ok
Direktori : /opt/imunify360/venv/lib/python3.11/site-packages/im360/plugins/resident/ |
Current File : //opt/imunify360/venv/lib/python3.11/site-packages/im360/plugins/resident/ignored_rules.py |
import logging import re from defence360agent.contracts.messages import MessageType, Reject from defence360agent.contracts.plugins import MessageSink, expect from im360.model.incident import DisabledRule logger = logging.getLogger(__name__) class FilterIgnoredRules(MessageSink): PROCESSING_ORDER = MessageSink.ProcessingOrder.IGNORE_MESSAGE async def create_sink(self, loop): self._loop = loop @expect(MessageType.SensorAlert, MessageType.SensorIncident) async def filter(self, msg): # filtering third-party rules known to be high FP try: if isinstance(msg, MessageType.SensorAlert): self._reject_non_i360_modsec_rules(msg) self._filter_user_configured(msg) except KeyError as e: logger.warning("Not enough fields in %s: %s", msg, e) def _reject_non_i360_modsec_rules(self, msg): if msg["plugin_id"] == "modsec" and not is_i360_rule(msg["rule"]): raise Reject("Non Imunify360 modsec rule is ignored") def _filter_user_configured(self, msg): if DisabledRule.is_rule_ignored( msg["plugin_id"], msg["rule"], msg.get("host", None) ): raise Reject("Rule ignored by user settings") def is_i360_rule(rule_id): """Whether the *rule_id* belongs to Imunify360 modsec ruleset.""" return re.fullmatch(r"333\d{2}|(?:77|88)\d{6}", rule_id)