Sieve Filter expert

[digihash]

This is for the Sievebot which was written in collaboration with @antoinet and @helderfernandes1279.

The sieve bot is used to filter and/or modify events based on a set of rules. The rules are specified in an external configuration file and with a syntax similar to the Sieve language used for mail filtering.

Each rule defines a set of matching conditions on received events. Events can be matched based on keys and values in the event. If the processed event matches a rule's conditions, the corresponding actions are performed. Actions can specify whether the event should be kept or dropped in the pipeline (filtering actions) or if keys and values should be changed (modification actions).

For more information, see README.md under "intelmq/bots/experts/sieve/README.md"

[antoinet]

I fixed the codestyle checks in https://github.com/antoinet/intelmq/commit/17c0d4d1d70903ff08f00a33ab6cb1a3276dc220
@digihash: can you add this commit to the PR?

[ghost]

Issues pointed out by the tests:

• don't use tabs in BOTS
• fix the codestyle:
  • intelmq/bots/experts/sieve/expert.py:222:1: E305 expected 2 blank lines after class or function definition, found 1
  • intelmq/bots/experts/sieve/validator.py:46:1: E305 expected 2 blank lines after class or function definition, found 1
  • intelmq/bots/experts/sieve/validator.py:54:36: W292 no newline at end of file
• do not "rely" on the textx package during the module loading, have a look at e.g. the asn lookup: https://github.com/certtools/intelmq/blob/master/intelmq/bots/experts/asn_lookup/expert.py#L6 and https://github.com/certtools/intelmq/blob/master/intelmq/bots/experts/asn_lookup/expert.py#L15
• add a test.skip_exotic() decorator, so the textx won't be required for a test run if not explicitly requested like here: https://github.com/certtools/intelmq/blob/master/intelmq/tests/bots/experts/asn_lookup/test_expert.py#L42
• ipaddress is already in cpython >= 3.3, we do not support anything lower, so remove this requirement

Will look at the code once these issues are resolvend.

[ghost]

@antoinet Thanks. If you push to antoinet:develop, the commits are part of this PR

[ghost]

failing tests for cymru can be ignored

Looks good overall.

I guess there is some room for optimization as some rules are evaulated every time.

See also https://github.com/antoinet/intelmq/pull/15 fixing some of the issues.

I am not very happy about just another configuration language in intelmq but I don't have better solution currently.

[ghost]

We support python3 only, this is obsolete. Also, you may find isort useful.

[ghost]

Please be more verbose, say that the sieve language is used. E.g. 'This bot filters and modifies events based on a sieve-based language.'

[ghost]

imported but unused. You can shorten it by doing:

try:
    from textx.metamodel import metamodel_from_file
    from textx.exceptions import TextXError, TextXSemanticError
except ImportError:
    metamodel_from_file = None

and then

if metamodel_from_file is None:
    raise ...

[ghost]

Instead of these three lines simply do raise ValueError('...'), everything else is handled by the Bot-class.

[ghost]

Why?

[aaronkaplan]

because they might have used graphviz :) Anyway, yes. Not needed here.

[ghost]

unnecessary

[ghost]

Did this happen in your tests? It should never, actually

[antoinet]

Since the event type is not enforced (any key can be specified as the left hand side of the << operator), the value is validated here. We did discuss whether or not to restrict this operator to keys with a type corresponding to an IP address (https://github.com/antoinet/intelmq/issues/11), and I just realized I didn't implement it the suggested way.

[ghost]

The bot is called sieve everywhere else.

[ghost]

missing newlines everywhere

[ghost]

Is it possible without eval? At least a strict checking of the arguments should be done.

[aaronkaplan]

+1

[aaronkaplan]

I had quite a few comments after more careful review. but overall this is a fantastic addition!

Most welcome enhancement would be to be able to specify the output pipeline with this sieve filter.

Then you could do a type of switch-case statement where the data should be flowing to.

[aaronkaplan]

because they might have used graphviz :) Anyway, yes. Not needed here.

[aaronkaplan]

Would it be possible to specify a specific outgoing pipeline as an action?

Example:

  if $condition
  then
    send-to "pipeline-A";
  fi

[ghost]

This is not supported by the core.

[antoinet]

In our instance, we are already (ab)using a newly introduced key called keep (boolean), which can be set anywhere in the pipeline. Downstream, events with keep==False are dropped.

This can be generalized by introducing a new key, e.g. route, with values that describe a specific destination. But this requires to put filter bots upstream of every destination such that only the corresponding events are kept.

If a routing model was provided in the core, we would certainly have use-cases for it.

[ghost]

I wonder why no issue existed for this which and created #1088 for it

[aaronkaplan]

grammar: file system path of the sieve file

[aaronkaplan]

according to the docs below, IP addresses must be quoted.

[aaronkaplan]

wish list: if we have contains, out of reasons of symmetry , may we have :notcontains ?

[aaronkaplan]

So implicitly here you are saying that the default behaviour without keep is to contineue with the matching ?

[antoinet]

Yes, the keep and drop actions explicitly interrupt the processing of the rules.

Without a mention of keep or drop, processing of subsequent rules continues. Afaik this is the same behavior as mail sieve.

[aaronkaplan]

wish-list: // or # as a comment character.

[aaronkaplan]

this should be called implicitly when the intelmqctl configtest gets called.

[ghost]

It is intelmqctl check

[aaronkaplan]

+1

[aaronkaplan]

this does not seem to be documented in the docu. I mean that the << operator also works on lists.

[antoinet]

Actually, every operator works on lists. I will point that out.

[aaronkaplan]

I move that we merge this soon!

[codecov-io]

Codecov Report

Merging #1083 into develop will increase coverage by 2.38%.
The diff coverage is 90.13%.

@@             Coverage Diff             @@
##           develop    #1083      +/-   ##
===========================================
+ Coverage    73.93%   76.31%   +2.38%     
===========================================
  Files          217      220       +3     
  Lines         9417    10338     +921     
  Branches      1283     1363      +80     
===========================================
+ Hits          6962     7889     +927     
+ Misses        2176     2142      -34     
- Partials       279      307      +28

Impacted Files	Coverage Δ
...elmq/tests/bots/experts/cymru_whois/test_expert.py	100% <ø> (+40%)	⬆️
intelmq/bots/experts/sieve/validator.py	0% <0%> (ø)
intelmq/bin/intelmqctl.py	11.05% <0%> (-0.07%)	⬇️
intelmq/tests/bots/experts/sieve/test_expert.py	100% <100%> (ø)
intelmq/bots/experts/asn_lookup/expert.py	62.5% <25%> (ø)	⬆️
intelmq/bots/outputs/file/output.py	74.07% <28.57%> (ø)	⬆️
intelmq/lib/bot.py	62.69% <75%> (ø)	⬆️
intelmq/bots/experts/sieve/expert.py	84.82% <84.82%> (ø)
intelmq/bots/experts/abusix/expert.py	39.28% <0%> (-46.43%)	⬇️
intelmq/tests/bots/experts/abusix/test_expert.py	56.66% <0%> (-43.34%)	⬇️
... and 21 more

[antoinet]

@wagner-certat and @aaronkaplan: I think I addressed all review points so far up to the :in operator, used to check if an ip address matches a list of values, e.g.:
source.ip :in ['127.0.0.1', '192.168.1.1', '10.0.0.1']
As mentioned above, most of the operators support a list in the right-hand-side by default, e.g.:
source.ip != ['127.0.0.1', '192.168.1.1', ...]
So it is a design question:

• we can introduce the :in operator (and by symmetry :notin) and drop list-support for all other operators (makes it simpler)
• :in is just an alias for == (and :notin an alias for !=), and we keep list-support for all other operators.
  What do you all think?

[ghost]

Concerning the :in and == and lists...

If we one day support multiple source IP addresses or similar (with the IDEA format or whatever) everything blows up anyway... So I am in favour of just using the currently implemented behaviour with ==.

@aaronkaplan What do you think?
And @dmth maybe you have the leisure to comment too? :D

[SYNchroACK]

Concerning the :in and == and lists...

If we one day support multiple source IP addresses or similar (with the IDEA format or whatever) everything blows up anyway... So I am in favour of just using the currently implemented behaviour with ==.

I understand, its well pointed @wagner-certat . However, I think we are far way from that day and also, the day we change to multi source IP addresses we need to change multiple experts bots. IMHO, we should keep with our principle of using one key = value, therefore, the presented code is fine.
Makes sense?