diff --git a/src/entry/Maat_api.cpp b/src/entry/Maat_api.cpp index 781c5d7..c71ce00 100644 --- a/src/entry/Maat_api.cpp +++ b/src/entry/Maat_api.cpp @@ -1362,7 +1362,8 @@ int Maat_full_scan_string_detail(Maat_feather_t feather,int table_id ,struct Maat_rule_t*result,int rule_num,struct Maat_hit_detail_t *hit_detail,int detail_num ,int* detail_ret,scan_status_t* mid,int thread_num) { - int region_ret=0,compile_ret=0; + int region_ret=0, compile_ret=0; + int district_id=DISTRICT_ANY; size_t hit_region_cnt=0; unsigned int sub_type=0; int virtual_table_id=0; @@ -1458,7 +1459,11 @@ int Maat_full_scan_string_detail(Maat_feather_t feather,int table_id alignment_int64_array_add(table_rt->hit_cnt, thread_num, 1); } _mid=grab_mid(mid, _feather, thread_num, 1); - scan_region_hit_wraper_build_with_rulescan(®ion_hit_wraper, region_result, hit_region_cnt, _mid->district_id, + if(hit_region_cnt>0&&p_table->table_type==TABLE_TYPE_EXPR_PLUS) + { + district_id=_mid->district_id; + } + scan_region_hit_wraper_build_with_rulescan(®ion_hit_wraper, region_result, hit_region_cnt, district_id, _mid->is_last_scan, virtual_table_id, _mid->scan_cnt); if(region_hit_wraper.n_wrapped_region>0 || scan_status_should_compile_NOT(_mid)) @@ -1516,6 +1521,7 @@ int Maat_scan_intval(Maat_feather_t feather,int table_id ,scan_status_t *mid,int thread_num) { int region_ret=0,compile_ret=0; + int district_id=DISTRICT_ANY; struct _OUTER_scan_status_t* _mid=NULL; scan_data_t intval_scan_data; scan_result_t *region_result=NULL; @@ -1578,7 +1584,12 @@ int Maat_scan_intval(Maat_feather_t feather,int table_id alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); } _mid=grab_mid(mid, _feather, thread_num, 1); - scan_region_hit_wraper_build_with_rulescan(®ion_hit_wraper, region_result, region_ret, _mid->district_id, + if(region_ret>0&&p_table->table_type==TABLE_TYPE_INTERVAL_PLUS) + { + district_id=_mid->district_id; + } + + scan_region_hit_wraper_build_with_rulescan(®ion_hit_wraper, region_result, region_ret, district_id, _mid->is_last_scan, virtual_table_id, _mid->scan_cnt); if(region_hit_wraper.n_wrapped_region>0 || scan_status_should_compile_NOT(_mid)) diff --git a/src/entry/Maat_rule.cpp b/src/entry/Maat_rule.cpp index f85c8dc..34a269d 100644 --- a/src/entry/Maat_rule.cpp +++ b/src/entry/Maat_rule.cpp @@ -57,7 +57,7 @@ extern "C" } #endif -int MAAT_FRAME_VERSION_3_4_10_20211011=1; +int MAAT_FRAME_VERSION_3_4_11_20211012=1; int is_valid_table_name(const char* str) { diff --git a/test/maat_json.json b/test/maat_json.json index bd8fc70..e57df32 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -8,7 +8,7 @@ "regions": [ { "table_name": "AS_NUMBER", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "AS1234", "expr_type": "none", @@ -23,7 +23,7 @@ "regions": [ { "table_name": "AS_NUMBER", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "AS2345", "expr_type": "none", @@ -232,7 +232,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "abckkk&123", "expr_type": "and", @@ -284,7 +284,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "action=search\\&query=(.*)", "expr_type": "regex", @@ -310,7 +310,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "should_not_hit_any_rule", "expr_type": "none", @@ -401,7 +401,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "C#中国", "expr_type": "none", @@ -427,7 +427,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "2010&يىلىدىكى", "expr_type": "and", @@ -453,7 +453,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "سىياسىي", "expr_type": "and", @@ -479,7 +479,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "Take\\bme\\bHome&Batman\\", "expr_type": "and", @@ -505,7 +505,7 @@ "regions": [ { "table_name": "HTTP_HOST", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "www.3300av.com", "expr_type": "none", @@ -531,7 +531,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "novel&27122.txt", "expr_type": "and", @@ -581,7 +581,7 @@ "regions": [ { "table_name": "IMAGE_FP", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "4362-4458:323031333A30333A30372032333A35363A313000323031333A30333A30372032333A35363A3130000000FFE20C584943435F50524F46494C4500010100000C484C696E6F021000006D6E74725247422058595A2007CE00020009000600310000", "expr_type": "offset", @@ -607,7 +607,7 @@ "regions": [ { "table_name": "IMAGE_FP", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "19339-19467:6CB2CB2F2028474C994991CCFC65CCA5E3B6FF001673985D157358610CACC674EE64CC27B5721CCDABD9CCA7C8E9F7BB1F54A930A6034D50F92711F5B2DACCB0715D2E6873CE5CE431DC701A194C260E9DB78CC89F2C84745869AB88349A3AE0412AB59D9ABA84EDEFFF0057FA4DA66D333698B5AD6F844DA2226D1CADAD5E44", "expr_type": "offset", @@ -634,7 +634,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "should&hit&aaa", "expr_type": "and", @@ -661,7 +661,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "should&hit&bbb", "expr_type": "and", @@ -687,7 +687,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "2018-10-05", "expr_type": "none", @@ -714,7 +714,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "i.ytimg.com", "expr_type": "none", @@ -739,7 +739,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": ",IgpwcjA0LnN2bzAzKgkxMjcuMC4wLjE", "expr_type": "none", @@ -765,7 +765,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-contained-string-of-rule-143", "expr_type": "none", @@ -780,7 +780,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-not-contained-string-of-rule-143", "expr_type": "none", @@ -806,7 +806,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-contained-string-of-rule-144", "expr_type": "none", @@ -821,7 +821,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-not-contained-string-of-rule-144", "expr_type": "none", @@ -847,7 +847,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-contained-string-of-rule-145", "expr_type": "none", @@ -876,7 +876,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "Cookie:\\s&head", "expr_type": "regex", @@ -901,7 +901,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "googlevideo.com/videoplayback&mn=sn-35153iuxa-5a56%2Csn-n8v7znz7", "expr_type": "and", @@ -954,7 +954,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "^((?!.*\\binstagram\\b)).*\\.fbcdn\\.net$", "expr_type": "regex", @@ -1340,7 +1340,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "https://blog.csdn.net/littlefang/article/details/8213058", "expr_type": "none", @@ -1467,7 +1467,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": ">ЗАО\\b«Севергазвтоматика\\bАйС»<", "expr_type": "none", @@ -1494,7 +1494,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "cavemancircus.com/", "expr_type": "none", @@ -1536,7 +1536,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "2019/12/27/pretty-girls-6", "expr_type": "none", @@ -1563,7 +1563,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "2019/12/27", "expr_type": "none", @@ -1590,7 +1590,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "2019/12/27", "expr_type": "none", @@ -2012,7 +2012,7 @@ "regions": [ { "table_name": "KEYWORDS_TABLE", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "string1&string2&string3&string4&string5&string6&string7&string8", "expr_type": "and", @@ -2038,7 +2038,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "^(?=.*/rain/a/TWF2021042600418000)(?!new.qq.com).*", "expr_type": "regex", @@ -2121,7 +2121,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-not-contained-string-of-rule-186", "expr_type": "none", @@ -2173,7 +2173,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-not-contained-string-of-rule-187", "expr_type": "none", @@ -2225,7 +2225,7 @@ "regions": [ { "table_name": "HTTP_URL", - "table_type": "string", + "table_type": "expr", "table_content": { "keywords": "must-not-contained-string-of-rule-188", "expr_type": "none", diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp index bac4fe9..3bb6bf6 100644 --- a/test/test_maatframe.cpp +++ b/test/test_maatframe.cpp @@ -265,7 +265,6 @@ void ip_plugin_EX_new_cb(int table_id, const char* key, const char* table_line, void ip_plugin_EX_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp) { struct ip_plugin_ud* u=(struct ip_plugin_ud*)(*ad); - u->ref_cnt--; if ((__sync_sub_and_fetch(&u->ref_cnt, 1) == 0)) { free(u->buffer); @@ -564,7 +563,7 @@ TEST(IntervalScan, IntervalPlus) } #define ExprPlusTest 1 -TEST(StringScan, ExprPlus) +TEST(StringScan, ExprPlus) { int ret=0; int table_id=0; @@ -672,7 +671,7 @@ TEST(StringScan, ShouldNotHitExprPlus) ret=Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_DISTRICT, region_name, strlen(region_name)); EXPECT_EQ(ret, 0); - ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, (char*)udp_payload_not_hit, sizeof(udp_payload_not_hit), + ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, (char*)udp_payload_not_hit, sizeof(udp_payload_not_hit), result, NULL, 4, &mid, 0); EXPECT_EQ(ret, -2); @@ -686,7 +685,8 @@ TEST(StringScan, ExprPlusWithHex) { int table_id=0,ret=0; struct Maat_rule_t result[4]; - const char* scan_data="text/html; charset=UTF-8"; + const char* scan_data1="text/html; charset=UTF-8"; + const char* scan_data2="Batman\\:Take me Home.Superman/:Fine,stay with me."; const char* region_name1="Content-Type"; const char* region_name2="User-Agent"; int found_pos[4]; @@ -695,7 +695,7 @@ TEST(StringScan, ExprPlusWithHex) scan_status_t mid=NULL; ret=Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_DISTRICT, region_name1, strlen(region_name1)); ASSERT_EQ(ret, 0); - ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, scan_data, strlen(scan_data), + ret=Maat_full_scan_string(g_feather, table_id, CHARSET_UTF8, scan_data1, strlen(scan_data1), result, found_pos, 4, &mid, 0); EXPECT_EQ(ret, 1); @@ -703,11 +703,19 @@ TEST(StringScan, ExprPlusWithHex) ret=Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_DISTRICT, region_name2, strlen(region_name2)); ASSERT_EQ(ret, 0); - ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, scan_data, strlen(scan_data), + ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, scan_data1, strlen(scan_data1), result, found_pos, 4, &mid, 0); EXPECT_EQ(ret, -2); + table_id=Maat_table_register(g_feather, "KEYWORDS_TABLE"); + ret=Maat_full_scan_string(g_feather, table_id, CHARSET_UTF8, scan_data2, strlen(scan_data2), + result, found_pos, 4, + &mid, 0); + EXPECT_EQ(ret, 1); + EXPECT_EQ(result[0].config_id, 132); + + Maat_clean_status(&mid); return;