0

I have a file with false positive rules that I want to push to Lima Charlie using Python.

The documentation says the following (https://github.com/refractionPOINT/python-limacharlie):

def push( self, fromConfigFile, isForce = False, isDryRun = False, isIgnoreInaccessible = False, isRules = False, isFPs = False, isOutputs = False, isIntegrity = False, isArtifact = False, isExfil = False, isResources = False, isNetPolicy = False, isOrgConfigs = False ):

'''Apply the configuratiion in a local config file to the effective configuration in the cloud.

    Args:
        fromConfigFile (str/dict): the path to the config file or dict of a config file content.
        isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
        isDryRun (boolean): if True will only simulate the effect of a push.
        isIgnoreInaccessible (boolean): if True, ignore inaccessible resources (locked) even when isForce is True.
        isRules (boolean): if True, push D&R rules.
        isFPs (boolean): if True, push False Positive rules.
        isOutputs (boolean): if True, push Outputs.
        isIntegrity (boolean): if True, push Integrity rules.
        isArtifact (boolean): if True, push Artifact rules.
        isExfil (boolean): if True, push Exfil rules.
        isResources (boolean): if True, push Resource subscriptions.
        isNetPolicy (boolean): if True, push Net Policies.
        isOrgConfigs (boolean): if True, push Org Configs.

    Returns:
        a generator of changes as tuple (changeType, dataType, dataName).
    '''

When I try to use it then I dont know if the rule is pushed to LimaCharlie or not. I try to print the result (return) variable but I only get a "generator object Configs.push". Does anyone have any input on how I can debug this?

false_positive_rules.yml

rules:
  This_Is_Fine.exe:
    detect:
      event: NEW_PROCESS
      rules:
      - op: ends with
        path: detect/event/FILE_PATH
        value: this_is_fine.exe
    version: 3
version: 3

Python code:

# Read FP rule
with open("datasets/false_positive_rules.yml", 'r') as stream:
    try:
        data_dict = yaml.safe_load(stream)
    except yaml.YAMLError as exc:
        print(exc)
print(f"\n{data_dict}")

# Create an instance of the SDK.
man = limacharlie.Manager(oid=os.environ["LC_OID"], secret_api_key=os.environ["LC_API_KEY"])

# Push rule
result = limacharlie.Configs.push(self, fromConfigFile=data_dict, isDryRun=True, isFPs=True, isOutputs=True)

# Print result
print(result)
print(type(result))

This gives the following output to terminal:

{'rules': {'This_Is_Fine.exe': {'detect': {'event': 'NEW_PROCESS', 'rules': [{'op': 'ends with', 'path': 'detect/event/FILE_PATH', 'value': 'this_is_fine.exe'}]}, 'version': 3}}, 'version': 3}
<generator object Configs.push at 0x000001918392F370>
<class 'generator'>
Europa
  • 974
  • 12
  • 40
  • Does this answer your question? [Understanding generators in Python](https://stackoverflow.com/questions/1756096/understanding-generators-in-python) – SitiSchu Sep 14 '22 at 10:09
  • Have you tried `print(list(result))`? It is a generator, so you should probably unpack it first. – Christian Sep 14 '22 at 10:09
  • Christian: I I try to use print(list(result)) I get: > if not self._isDontUseInfraService: E AttributeError: 'TestDeployFalsePositive' object has no attribute '_isDontUseInfraService' ..\venv\lib\site-packages\limacharlie\Configs.py:314: AttributeError – Europa Sep 14 '22 at 10:12
  • Where is this code, that you are showing up there, in? You have a very strange way of calling push. What in this case is the reference to self? Because if it was a Configs instance, I would expect you call it like `self.push(...)`. The problem in that stack trace is showing, that the self has no `_isDontUseInfraService` attribute why I think `self` is not a Configs. – Christian Sep 14 '22 at 11:16

0 Answers0