suricata: PT Research ruleset plugin And rulecache.py metadata parsing

[kulikov-a]

Hi!
PT Research rulsets plugin rules downloading but not installing:
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/rule-updater.py
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/installRules.py
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/suricata/installRules.py", line 56, in
for rule_info_record in RuleCache.list_rules(filename=filename):
File "/usr/local/opnsense/scripts/suricata/lib/rulecache.py", line 110, in list_rules
record['metadata'][parts[0]] = parts[1]
IndexError: list index out of range

PT research rules metadata differs from other rulesets.
eg PT rule contain metadata:
;metadata: Open Ptsecurity.com ruleset;
(no comma, spaces)
other rulesets:
; metadata:created_at 2010_07_30, updated_at 2020_04_23;
(always contain comma, spaces between metadata parts).

so installing PT ruleset throws error in metadata parsing:
if prop == 'metadata':
for mdtag in list(csv.reader([value], delimiter=","))[0]:
parts = mdtag.split(maxsplit=1)
record['metadata'][parts[0]] = parts[1]
IndexError: list index out of range

[kulikov-a]

pardon me. looked only the first few lines. there are even more formatting errors. will add a pull request with try-except in meta parsing

[kulikov-a]

opnsense/core#4301

[kulikov-a]

bad formatted "metadata" strings examples:
"metadata: id_140409,created_at 2017_6_2, url, https://blog.fortinet.com/2016/07/27/bayrob-an-ancient-evil-awakens-ii"
(metadata "url" comma separated from value; metadata without value)

[kulikov-a]

move issue to core (opnsense/core#4302)