matching: multi match support

doc/update.rst

@@ -259,6 +259,15 @@ with the provided metadata::
           convert rules to drop. It is not available for rule
           modification.
 
+Multi Matching
+--------------
+
+The above matching methods can also be combined. It's logical AND, so all combined matcher need to match a given rule::
+
+  multi:filename:*/emerging-scan.rule;re:nmap;
+  multi:group:emerging-web_specific_apps;re:wordpress;re:cve[-,]201[6-9];
+  multi:re:cve[-_]202[23];metadata: deployment perimeter;
+
 Modifying Rules
 ---------------
 

suricata/update/configs/disable.conf

@@ -16,4 +16,8 @@
 
 # Disable all rules with a metadata of "deployment perimeter". Note that metadata
 # matches are case insensitive.
-# metadata: deployment perimeter
+# metadata: deployment perimeter
+
+# Example of multi matching
+# Disable all rules with significant performance impact (metadata match) from emerging-policy (group match)
+multi:metadata: performance_impact Significant;group:emerging-policy;

suricata/update/configs/drop.conf

@@ -9,3 +9,7 @@
 #
 # re:heartbleed
 # re:MS(0[7-9]|10)-\d+
+
+# Example of multi matching
+# Set phishing related (metadata match) rules from emerging-current_events (group match) to drop
+multi:metadata: tag Phishing;group:emerging-current_events;

suricata/update/configs/enable.conf

@@ -16,4 +16,8 @@
 
 # Enable all rules with a metadata of "deployment perimeter". Note that metadata
 # matches are case insensitive.
-# metadata: deployment perimeter
+# metadata: deployment perimeter
+
+# Example of multi matching
+# Enable all rules with a recent cve reference (regular expression match) and a perimeter deployment (metadata match)
+multi:re:cve[-_]202[23];metadata: deployment perimeter;

suricata/update/matchers.py

@@ -211,6 +211,35 @@ def parse(cls, buf):
                 return cls(key, val)
         return None
 
+class MultiRuleMatcher(object):
+    """Matcher that build a container around other matchers. All childmatchers have to match for a true match.
+    Config syntax is "multi:<chlild1>;<child2>;<clildN>"."""
+
+    def __init__(self, childmatchers):
+        self.childmatchers = childmatchers
+
+    def match(self, rule):
+        for matcher in self.childmatchers:
+            if not matcher.match(rule):
+                return False
+        return True
+
+    @classmethod
+    def parse(cls, buf):
+        if buf.startswith("multi:"):
+            try:
+                logger.debug("Parsing multi matcher: %s", buf)
+                childmatcherstrs = filter(None, buf.split(":", 1)[1].strip().split(";"))
+                childmatchers = []
+                for childstr in childmatcherstrs:
+                    matcher = parse_rule_match(childstr.strip())
+                    if matcher:
+                        childmatchers.append(matcher)
+                return cls(childmatchers)
+            except Exception as e:
+                raise e
+        return None
+
 
 class ModifyRuleFilter(object):
     """Filter to modify an idstools rule object.
@@ -328,4 +357,8 @@ def parse_rule_match(match):
     if matcher:
         return matcher
 
+    matcher = MultiRuleMatcher.parse(match)
+    if matcher:
+        return matcher
+
     return None