Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

salt/common/tools/sbin/so-elastalert-test

@@ -19,8 +19,7 @@
 #
 # Purpose:  This script will allow you to test your elastalert rule without entering the Docker container.
 
-. /usr/sbin/so-elastic-common
+HOST_RULE_DIR=/opt/so/rules/elastalert
-
 OPTIONS=""
 SKIP=0
 RESULTS_TO_LOG="n"
@@ -29,111 +28,109 @@ FILE_SAVE_LOCATION=""
 
 usage()
 {
-cat <<EOF
+	cat <<EOF
 
 Test Elastalert Rule
   Options:
-  -h         		This message
+  -h                This message
-  -a         		Trigger real alerts instead of the debug alert
+  -a                Trigger real alerts instead of the debug alert
-  -l <path_to_file>     Write results to specified log file
+  -l <path_to_file> Write results to specified log file
-  -o '<options>'	Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
+  -o '<options>'    Specify Elastalert options ( Ex. --schema-only , --count-only, --days N ) 
-  -r <rule_name>        Specify path/name of rule to test
+  -r <rule_name>    Specify filename of rule to test (must exist in $HOST_RULE_DIR; do not include path)
 
 EOF
 }
 
 while getopts "hal:o:r:" OPTION
 do
-        case $OPTION in
+	case $OPTION in
-                h)
+	h)
-                        usage
+		usage
-                        exit 0
+		exit 0
-                        ;;
+		;;
-                a)
+	a)
-                        OPTIONS="--alert"
+		OPTIONS="--alert"
-                        ;;
+		;;
-                l)
+	l)
-                        RESULTS_TO_LOG="y"
+		RESULTS_TO_LOG="y"
-                        FILE_SAVE_LOCATION=$OPTARG
+		FILE_SAVE_LOCATION=$OPTARG
-                        ;;
+		;;		
-                
+	o)
-                o)
+		OPTIONS=$OPTARG
-			OPTIONS=$OPTARG
+		;;  	
-                        ;;  
+	r)
-                
+		RULE_NAME=$OPTARG
-                r)
+		SKIP=1
-                        RULE_NAME=$OPTARG
+		;;
-                        SKIP=1
+	*)
-                        ;;
+		usage
-                *)
+		exit 0
-                        usage
+		;;
-                        exit 0
+	esac
-                        ;;
-        esac
 done
 
 docker_exec(){
-	if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+	CMD="docker exec -it so-elastalert elastalert-test-rule /opt/elastalert/rules/$RULE_NAME --config /opt/config/elastalert_config.yaml $OPTIONS"
-        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
+	if [ "${RESULTS_TO_LOG,,}" = "y" ] ; then
+		$CMD > "$FILE_SAVE_LOCATION"
 	else
-        	docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
+		$CMD
 	fi	
 }
 
 rule_prompt(){
-	CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
+	CURRENT_RULES=$(cd "$HOST_RULE_DIR" && find . -type f \( -name "*.yaml" -o -name "*.yml" \) | sed -e 's/^\.\///')
-        echo
+	if [ -z "$CURRENT_RULES" ]; then
-        echo "This script will allow you to test an Elastalert rule."
+		echo "There are no rules available to test. Rule files must be placed in the $HOST_RULE_DIR directory."
-        echo
+		exit 1
-        echo "Below is a list of active Elastalert rules:"
+	fi
-        echo
+	echo
+	echo "This script will allow you to test an Elastalert rule."
+	echo
+	echo "Below is a list of available Elastalert rules:"
+	echo
 	echo "-----------------------------------"
-        echo
+	echo
-        echo "$CURRENT_RULES"
+	echo "$CURRENT_RULES"
-        echo
+	echo
 	echo "-----------------------------------"
-	echo 
+	echo
-        echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
+	while [ -z "$RULE_NAME" ]; do
-        echo
+		read -p "Please enter the rule filename you want to test (filename only, no path): " -e RULE_NAME
-        echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
-        echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
-        echo
-        while [ -z $RULE_NAME ]; do
-		echo "Please enter the file path and rule name you want to test."
-		read -e RULE_NAME
 	done
 }
 
 log_save_prompt(){
 	RESULTS_TO_LOG=""
-        while [ -z $RESULTS_TO_LOG ]; do
+	read -p "The results can be rather long.  Would you like to write the results to a file? (y/N) " -e RESULTS_TO_LOG
-		echo "The results can be rather long.  Would you like to write the results to a file? (Y/N)"
-		read RESULTS_TO_LOG
-	done
 }
 
 log_path_prompt(){
-        while [ -z $FILE_SAVE_LOCATION ]; do
+		while [ -z "$FILE_SAVE_LOCATION" ]; do
-		echo "Please enter the file path and file name."
+			read -p "Please enter the log file path and file name: " -e FILE_SAVE_LOCATION
-		read -e FILE_SAVE_LOCATION
+		done
-        done
 		echo "Depending on the rule this may take a while."
 }
 
 if [ $SKIP -eq 0 ]; then
 	rule_prompt
 	log_save_prompt
-        if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
+	if [ "${RESULTS_TO_LOG,,}" = "y" ] ; then
-        	log_path_prompt
+		log_path_prompt
-        fi
+	fi
 fi
 
-docker_exec
+echo 
 
-if [ $? -eq 0 ]; then
+docker_exec
+RESULT=$?
+
+echo
+
+if [ $RESULT -eq 0 ]; then
 	echo "Test completed successfully!"
 else
-	echo "Something went wrong..."
+	echo "Test failed."
 fi
 
 echo