Fix snort rule with blank content & WR packet in alert

- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP

Some packet data is missing in alerts from snort.

Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>

1 files changed, 10 insertions, 4 deletions

diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py
index 9ece832..223461a 100644
--- a/samples/services/snort_ids/docker/grpc/snort_server.py
+++ b/samples/services/snort_ids/docker/grpc/snort_server.py
@@ -33,10 +33,16 @@ class Controller(snort_pb2_grpc.ControllerServicer):
             # file_local = 'testfile'
             file_local = '/etc/snort/rules/local.rules'
             f = open(file_local, 'a')
-            rule = 'alert {} {} {} -> {} {} '.format(
-                r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
-                + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
-                                      r.msg, r.content, r.sid, r.rev)
+            if r.content:
+                rule = 'alert {} {} {} -> {} {} '.format(
+                    r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+                    + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
+                                          r.msg, r.content, r.sid, r.rev)
+            else:
+                rule = 'alert {} {} {} -> {} {} '.format(
+                    r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+                    + '(msg:"{}"; sid:{}; rev:{};)\n'.format(
+                                          r.msg, r.sid, r.rev)
             f.write(rule)
             f.close
             msg = "Added to local rules"