From 86fa56443ba61bf728f5a2fc40ce9d9027e9998b Mon Sep 17 00:00:00 2001
From: Paul Santus <paul.santus@gmail.com>
Date: Sun, 5 Jan 2025 00:01:46 +0100
Subject: [PATCH] Filter only pre-labelled traffic

previsou
---
 ja3RuleGroupUpdater.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ja3RuleGroupUpdater.py b/ja3RuleGroupUpdater.py
index f0299fa..ae7e702 100644
--- a/ja3RuleGroupUpdater.py
+++ b/ja3RuleGroupUpdater.py
@@ -26,7 +26,7 @@ def lambda_handler(event, context):
 
     rules = rule_group['RuleGroup']['Rules']
     existing_priorities = [rule['Priority'] for rule in rules]
-    existing_ja3_fingerprints = [rule['Statement']['ByteMatchStatement']['SearchString'].decode() for rule in rules]
+    existing_ja3_fingerprints = [rule['Statement']['AndStatement']['Statements'][0]['ByteMatchStatement']['SearchString'].decode() for rule in rules]
     added_fingerprints = []
     removed_rules = []
 
@@ -93,12 +93,12 @@ def lambda_handler(event, context):
                 rules.append(new_rule)
 
         # Keep only the last RULE_GROUP_MAXSIZE rules
-        removed_rules = [rule['Statement']['ByteMatchStatement']['SearchString'].decode() for rule in rules[:-int(RULE_GROUP_MAXSIZE)]]
+        removed_rules = [rule['Statement']['AndStatement']['Statements'][0]['ByteMatchStatement']['SearchString'].decode() for rule in rules[:-int(RULE_GROUP_MAXSIZE)]]
         rules = rules[-int(RULE_GROUP_MAXSIZE):]
 
     if action == 'REMOVE_FROM_BLACKLIST':
         removed_rules = ja3_fingerprints
-        rules = [rule for rule in rules if rule['Statement']['ByteMatchStatement']['SearchString'].decode() not in ja3_fingerprints]
+        rules = [rule for rule in rules if rule['Statement']['AndStatement']['Statements'][0]['ByteMatchStatement']['SearchString'].decode() not in ja3_fingerprints]
 
     # Reindex rules from 1
     for index, rule in enumerate(rules):