[crowdstrike] Snort parser fails on single-line rules missing trailing newline

[throuxel]

Proposed changes

• Handle snort rule without trailing new lines
• Add tests

Related issues

• Closes: [crowdstrike] Snort parser fails on single-line rules missing trailing newline #6427

Checklist

• I consider the submitted work as finished
• I have signed my commits using GPG key.
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

I didn't manage to reproduce the issue from crowdstrike data.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

❗ There is a different number of reports uploaded between BASE (7de424f) and HEAD (b3b048c). Click for more details.

HEAD has 103 uploads less than BASE

Flag	BASE (7de424f)	HEAD (b3b048c)
connectors	105	2

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #6553       +/-   ##
===========================================
- Coverage   27.71%    2.13%   -25.58%     
===========================================
  Files        1874     1782       -92     
  Lines      116670   114061     -2609     
===========================================
- Hits        32333     2434    -29899     
- Misses      84337   111627    +27290     

Files with missing lines	Coverage Δ
...c/crowdstrike_feeds_services/utils/snort_parser.py	87.15% <100.00%> (+42.20%)	⬆️

... and 938 files with indirect coverage changes

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Fixes a bug in the CrowdStrike Snort parser where rules lacking a trailing newline (single-rule files or last rule in a file) were silently dropped, causing the entire parse to return empty. The fix extends the end-of-rule detection in _split_snort_rules to also accept lines ending in ;) without a newline, and adds focused unit tests covering both _split_snort_rules and the full SnortParser.parse flow.

Changes:

• Broaden end-of-rule check in _split_snort_rules to accept ;) with or without a trailing newline.
• Add tests for single/multiple rules with and without trailing newlines, including full parse(...) assertions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
external-import/crowdstrike/src/crowdstrike_feeds_services/utils/snort_parser.py	Adds an additional end-of-rule condition so rules without a trailing newline are flushed.
external-import/crowdstrike/tests/test_snort_parser_trailing_newline.py	New tests validating Snort parsing with/without trailing newlines.

[jabesq]

suggestion: Maybe it could be simplified to just:

Suggested change

	line.endswith(cls._RULE_ENDS) or line.rstrip("\n").endswith(";)")
	line.rstrip("\n").endswith(";)")