Update to 6.0.4; link signature hit to results

Dockerfile

@@ -2,7 +2,7 @@ ARG branch=latest
 FROM cccs/assemblyline-v4-service-base:$branch AS base
 
 ENV SERVICE_PATH suricata_.suricata_.Suricata
-ENV SURICATA_VERSION 6.0.3
+ENV SURICATA_VERSION 6.0.4
 
 USER root
 

suricata_/suricata_.py

@@ -276,7 +276,8 @@ def execute(self, request):
                 if signature_id not in signatures:
                     signatures[signature_id] = {
                         "signature": signature,
-                        "malware_family": record['alert'].get('metadata', {}).get('malware_family', [])
+                        "malware_family": record['alert'].get('metadata', {}).get('malware_family', []),
+                        "al_signature": record['alert']['metadata']['al_signature'][0]
                     }
 
                 alerts[signature_id].append(f"{timestamp} {src_ip}:{src_port} -> {dest_ip}:{dest_port}")
@@ -384,7 +385,7 @@ def execute(self, request):
 
         if tls_dict:
             tls_section = ResultSection("TLS Information", parent=root_section,
-                                        body_format=BODY_FORMAT.KEY_VALUE)
+                                        body_format=BODY_FORMAT.JSON)
             kv_body = {}
             for tls_type, tls_values in tls_dict.items():
                 if tls_type == "fingerprint":
@@ -418,7 +419,7 @@ def execute(self, request):
                     kv_body[tls_type] = tls_values
                     # stick a message in the logs about a new TLS type found in suricata logs
                     self.log.info(f"Found new TLS type {tls_type} with values {tls_values}")
-            tls_section.set_body(kv_body)
+            tls_section.set_body(json.dumps(kv_body))
 
         # Create the result sections if there are any hits
         if len(alerts) > 0:
@@ -432,6 +433,7 @@ def execute(self, request):
                     heur_id = 2
 
                 section.set_heuristic(heur_id)
+                section.add_tag("file.rule.suricata", signature_details['al_signature'])
                 for flow in alerts[signature_id][:10]:
                     section.add_line(flow)
                 if len(alerts[signature_id]) > 10:

suricata_/suricata_importer.py

@@ -1,7 +1,7 @@
+from copy import deepcopy
 import logging
 import os
 
-from sys import getsizeof
 from typing import List
 
 from suricata.update.rule import Rule, parse_file
@@ -33,16 +33,21 @@ def _save_signatures(self, signatures: List[Rule], source, cur_file, default_cla
         upload_list = []
         add_update_many = self.update_client.signature.add_update_many
         for signature in signatures:
-            name = signature.sid
+            name = signature.msg or signature.sid
             status = "DEPLOYED" if signature.enabled else "DISABLED"
 
+            # Update metadata to include reference to signature in Assemblyline
+            orig_meta, new_meta = signature.metadata, deepcopy(signature.metadata)
+            new_meta.append(f"al_signature {source}.{name}")
+            signature.raw = signature.raw.replace(", ".join(orig_meta), ", ".join(new_meta))
+
             sig = Signature(dict(
                 classification=default_classification or self.classification.UNRESTRICTED,
                 data=signature.raw,
-                name=signature.msg or name,
+                name=name,
                 order=order,
                 revision=int(float(signature.rev)),
-                signature_id=name,
+                signature_id=signature.sid,
                 source=source,
                 status=status,
                 type="suricata",