gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature-test-stream-scan-many-files' into 'master'

Browse Source 
调整外部头文件应用。

See merge request MESA_framework/maat!7
This commit is contained in:
郑超
2018-10-11 17:05:32 +08:00
parent 8fa4503aa0 0e13a1460d
commit 72836d74c7
33 changed files with 580 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -3,7 +3,7 @@ project (maatframe)
set(CMAKE_CXX_FLAGS ${CMAKE_CXX_FLAGS} -Wall)
set(MAAT_DEPEND_DYN_LIB MESA_handle_logger MESA_htable pcre rulescan pthread m pcre MESA_field_stat2 crypto)
include_directories(${PROJECT_SOURCE_DIR}/inc/)
include_directories(/opt/MESA/include/MESA/)
include_directories(/opt/MESA/include/)
enable_testing()

2
inc/Maat_rule.h
View File

@@ -16,7 +16,7 @@
#ifndef __cplusplus
#error("This file should be compiled with C++ compiler")
#endif
#include "stream.h"
#include <MESA/stream.h>
enum MAAT_CHARSET
{
CHARSET_NONE=0,

2
src/inc_internal/Maat_rule_internal.h
View File

@@ -7,9 +7,9 @@
#include <MESA/MESA_htable.h>
#include <MESA/MESA_list_queue.h>
#include <MESA/field_stat2.h>
#include <MESA/rulescan.h>
#include "dynamic_array.h"
#include "UniversalBoolMatch.h"
#include "rulescan.h"
#include "hiredis.h"
#include "stream_fuzzy_hash.h"

4
test/CMakeLists.txt
View File

@@ -5,10 +5,12 @@ add_executable(test_maatframe test_maatframe.cpp)
target_link_libraries(test_maatframe maat_frame_shared gtest)
configure_file(table_info.conf table_info.conf COPYONLY)
configure_file(t2_tableinfo.conf t2_tableinfo.conf COPYONLY)
configure_file(maat_json.json maat_json.json COPYONLY)
configure_file(reset_redis4maat.sh reset_redis4maat.sh COPYONLY)
file(COPY conf DESTINATION ./)
file(COPY rule DESTINATION ./)
file(COPY testdata DESTINATION ./)
file(COPY testdata_uni2ascii DESTINATION ./)
file(COPY test_streamfiles DESTINATION ./)
file(COPY test_streamfiles DESTINATION ./)
file(COPY ntcrule DESTINATION ./)

22
test/ntcrule/full/2018-10-09/APP_COMPILE.0000050997 Normal file
View File

@@ -0,0 +1,22 @@
0000000021
193214 35 16 1 1 0 PROTO_ID=12 1 3 0
193198 35 16 1 1 0 PROTO_ID=8 1 3 0
193240 35 16 1 1 0 PROTO_ID=16 1 3 0
193069 1152 1 1 1 0 DOMAIN_ID=46002 1 1 0
193172 35 16 1 2 0 PROTO_ID=16 1 3 0
193212 35 16 1 1 0 PROTO_ID=24 1 3 0
193169 35 16 1 2 0 PROTO_ID=8 1 3 0
193235 35 16 1 1 0 PROTO_ID=5 1 3 0
193059 1028 1 1 1 0 APP_ID=90001 1 1 0
170505 36 16 1 1 0 PROTO_ID=13;BEHAV_ID=2 1 1 0
193218 1025 1 1 1 0 APP_ID=90001 1 1 0
170507 36 16 1 1 0 PROTO_ID=19;BEHAV_ID=2 1 1 0
170500 36 16 1 1 0 PROTO_ID=61;BEHAV_ID=1 1 1 0
14 1028 1 1 1 0 APP_ID=103301 1 1 0
193228 35 16 1 1 0 PROTO_ID=18 1 3 0
170503 36 16 1 1 0 PROTO_ID=15;BEHAV_ID=2 1 1 0
170502 36 16 1 1 0 PROTO_ID=15;BEHAV_ID=1 1 1 0
170504 36 16 1 1 0 PROTO_ID=13;BEHAV_ID=1 1 1 0
170506 36 16 1 1 0 PROTO_ID=19;BEHAV_ID=1 1 1 0
233 1028 1 1 1 0 APP_ID=102501 1 1 0
170501 36 16 1 1 0 PROTO_ID=61;BEHAV_ID=2 1 1 0

38
test/ntcrule/full/2018-10-09/APP_GROUP.0000050997 Normal file
View File

@@ -0,0 +1,38 @@
0000000037
922 193172 1
199 233 1
986 193240 1
570 170503 1
571 170502 1
799 193069 1
573 170504 1
783 193059 1
958 193212 1
984 193240 1
976 193235 1
971 193228 1
964 193218 1
978 193235 1
961 193214 1
950 193198 1
959 193212 1
575 170506 1
970 193228 1
568 170500 1
574 170507 1
963 193214 1
985 193240 1
949 193198 1
972 193228 1
962 193214 1
914 193169 1
913 193169 1
960 193212 1
915 193169 1
567 170501 1
921 193172 1
977 193235 1
13 14 1
951 193198 1
572 170505 1
920 193172 1

2
test/ntcrule/full/2018-10-09/APP_PAYLOAD.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
979 964 L2_header c4b8b44a1fce246e96c98a800800 0 0 1 1

17
test/ntcrule/full/2018-10-09/APP_POLICY.0000050997 Normal file
View File

@@ -0,0 +1,17 @@
0000000016
590 574 PROTO_ID=19&BEHAV_ID=2 1 0 0 1
584 568 PROTO_ID=61&BEHAV_ID=1 1 0 0 1
966 949 PROTO_ID=8 0 0 0 1
937 920 PROTO_ID=16 0 0 0 1
586 570 PROTO_ID=15&BEHAV_ID=2 1 0 0 1
591 575 PROTO_ID=19&BEHAV_ID=1 1 0 0 1
999 984 PROTO_ID=16 0 0 0 1
587 571 PROTO_ID=15&BEHAV_ID=1 1 0 0 1
991 976 PROTO_ID=5 0 0 0 1
589 573 PROTO_ID=13&BEHAV_ID=1 1 0 0 1
930 913 PROTO_ID=8 0 0 0 1
985 970 PROTO_ID=18 0 0 0 1
973 958 PROTO_ID=24 0 0 0 1
976 961 PROTO_ID=12 0 0 0 1
583 567 PROTO_ID=61&BEHAV_ID=2 1 0 0 1
588 572 PROTO_ID=13&BEHAV_ID=2 1 0 0 1

2
test/ntcrule/full/2018-10-09/DDOS_PROTECT_TARGET_IP_CB.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
270 0 4 0.0.0.0 255.255.255.255 0 65535 127.127.127.127 255.255.255.255 127 65535 6 0 1 32 5

2
test/ntcrule/full/2018-10-09/MM_AV_URL.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
10 10 www.sohu.com 0 0 0 1

2
test/ntcrule/full/2018-10-09/MM_COMPILE.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
5 272 16 1 2 0 0 1 1 0

2
test/ntcrule/full/2018-10-09/MM_GROUP.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
10 5 1

2
test/ntcrule/full/2018-10-09/NTC_ASN_IP.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
958 941 4 0.0.0.0 255.255.255.255 0 65535 0.0.0.1 255.255.255.255 0 65535 0 0 1

11
test/ntcrule/full/2018-10-09/NTC_BGP_AS.0000050997 Normal file
View File

@@ -0,0 +1,11 @@
0000000010
621 605 100 0 3 0 1
741 725 100 0 3 0 1
744 728 100 0 3 0 1
630 614 100 0 3 0 1
627 611 100 0 3 0 1
20 20 90 0 3 0 1
614 598 100 0 3 0 1
631 615 100 0 3 0 1
624 608 100 0 3 0 1
422 409 110 0 3 0 1

79
test/ntcrule/full/2018-10-09/NTC_COMPILE.0000050997 Normal file
View File

@@ -0,0 +1,79 @@
0000000078
193131 130 1 1 2 0 0 1 1 0
192977 132 1 1 2 0 0 1 1 0
193147 133 1 1 2 0 0 1 1 0
193138 129 1 1 1 0 0 1 1 0
193234 129 1 1 1 0 0 1 1 0
193119 129 1 1 1 0 0 1 1 0
193000 132 1 1 2 0 0 1 1 0
193155 17 16 1 2 0 0 1 1 0
193252 129 1 1 1 0 0 1 1 0
193128 130 1 1 2 0 0 1 1 0
192973 129 1 1 1 0 0 1 1 0
193091 132 1 1 1 0 0 1 1 0
170486 20 16 1 2 0 0 1 1 0
193132 18 16 1 2 0 DNS_STRATEGY=0 1 1 0
193140 129 1 1 2 0 0 1 1 0
192968 31 16 1 2 0 0 1 1 0
192978 132 1 1 1 0 0 1 1 0
193236 129 1 1 1 0 0 1 2 0
193289 129 1 1 1 0 0 1 2 0
193107 129 1 1 1 0 0 1 1 0
121 18 16 1 1 0 DNS_STRATEGY=0 1 1 0
192959 143 1 1 1 0 0 1 1 0
193126 130 1 1 2 0 0 1 1 0
193110 129 1 1 1 0 0 1 1 0
193294 20 16 1 1 0 0 1 1 0
170435 130 1 1 2 0 0 1 1 0
193076 132 1 1 1 0 0 1 1 0
193077 132 1 1 1 0 0 1 1 0
193121 129 1 1 1 0 0 1 1 0
192999 132 1 1 2 0 0 1 1 0
193139 129 1 1 2 0 0 1 1 0
193237 132 1 1 1 0 0 1 2 0
193258 129 1 1 1 0 0 1 2 0
116 130 1 1 1 0 0 1 1 0
32 143 1 1 2 0 0 1 1 0
120 18 16 1 1 0 DNS_STRATEGY=0 1 1 0
193133 129 1 1 1 0 0 1 1 0
193088 132 1 1 1 0 0 1 1 0
193149 21 16 1 2 0 0 1 1 0
193098 129 1 1 2 0 0 1 1 0
193102 18 16 1 2 0 DNS_STRATEGY=0 1 2 0
12 18 16 1 2 0 DNS_STRATEGY=101 1 1 0
193099 129 1 1 1 0 0 1 1 0
193145 129 1 1 1 0 0 1 1 0
193134 133 1 1 1 0 0 1 1 0
193039 31 16 1 1 0 0 1 3 0
193112 21 16 1 2 0 0 1 2 0
170436 18 16 1 2 0 DNS_STRATEGY=0 1 1 0
11 18 16 1 2 0 DNS_STRATEGY=0 1 1 0
192965 143 1 1 1 0 0 1 3 0
441 143 1 1 2 0 0 1 1 0
193101 132 1 1 1 0 0 1 1 0
193040 31 16 1 1 0 0 1 3 0
193108 129 1 1 1 0 0 1 2 0
193150 133 1 1 1 0 0 1 1 0
192976 132 1 1 2 0 0 1 2 0
193171 17 16 1 2 0 0 1 1 0
192960 143 1 1 1 0 0 1 3 0
193116 20 16 1 2 0 0 1 2 0
192966 143 1 1 1 0 0 1 3 0
193103 18 16 1 2 0 DNS_STRATEGY=0 1 2 0
193106 19 16 1 2 0 0 1 2 0
193154 129 1 1 2 0 0 1 1 0
170487 20 16 1 2 0 0 1 1 0
193113 129 1 1 1 0 0 1 1 0
193148 133 1 1 2 0 0 1 1 0
193105 129 1 1 1 0 0 1 1 0
193144 129 1 1 1 0 0 1 1 0
193127 18 16 1 2 0 DNS_STRATEGY=0 1 1 0
193114 21 16 1 2 0 0 1 2 0
193115 20 16 1 2 0 0 1 2 0
193129 130 1 1 2 0 0 1 1 0
118 130 1 1 1 0 0 1 1 0
193120 129 1 1 2 0 0 1 1 0
193002 132 1 1 2 0 0 1 1 0
170485 20 16 1 2 0 0 1 1 0
193130 18 16 1 2 0 DNS_STRATEGY=0 1 1 0
192967 143 1 1 1 0 0 1 3 0

4
test/ntcrule/full/2018-10-09/NTC_DNS_FAKE_IP_CB.0000050997 Normal file
View File

@@ -0,0 +1,4 @@
0000000003
9 0 4 0.0.0.0 255.255.255.255 0 65535 11.11.11.11 255.255.255.255 0 65535 0 0 1 64
10 133 4 0.0.0.0 255.255.255.255 0 65535 22.22.22.22 255.255.255.255 0 65535 0 0 1 64
193104 0 6 :: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 fe80::6770:f9e7:add5:ed1c FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 0 0 1 64

16
test/ntcrule/full/2018-10-09/NTC_DNS_REGION.0000050997 Normal file
View File

@@ -0,0 +1,16 @@
0000000015
886 869 QNAME www.bing.com 0 0 0 1
68 68 QNAME book.qq.com 0 0 0 1
885 868 QNAME www.bing.com 0 0 0 1
67 67 QNAME www.cz88.net 0 0 0 1
883 866 QNAME youdao.com 0 0 0 1
881 864 QNAME hk.entertainment.appledaily.com 0 0 0 1
884 867 QNAME www.sina.com 0 0 0 1
70 70 QNAME chuangshi.qq.com 0 0 0 1
445 431 QNAME finance.eastmoney.com 0 0 0 1
8 8 QNAME www.sina.com 0 0 0 1
66 66 QNAME www.ip138.com 0 0 0 1
7 7 QNAME www.sohu.com 0 0 0 1
446 432 QNAME stock.eastmoney.com 0 0 0 1
882 865 QNAME youdao.com 0 0 0 1
880 863 QNAME hk.entertainment.appledaily.com 0 0 0 1

3
test/ntcrule/full/2018-10-09/NTC_DNS_RES_STRATEGY.0000050997 Normal file
View File

@@ -0,0 +1,3 @@
0000000002
8 101 dns_response1_policy 133 1 0 0 0 0 0 0 0 0 10 30 1 65
193222 105 STRATEGY_NAME 143 89 0 0 0 0 0 0 0 0 12 24 1 65

6
test/ntcrule/full/2018-10-09/NTC_FTP_URL.0000050997 Normal file
View File

@@ -0,0 +1,6 @@
0000000005
902 885 blockchain 0 0 0 1
901 884 aaaftpbbbtestccc 0 0 0 1
879 862 斩首 0 0 0 1
903 886 movie 0 0 0 1
900 883 blockchain_guide 0 0 0 1

104
test/ntcrule/full/2018-10-09/NTC_GROUP.0000050997 Normal file
View File

@@ -0,0 +1,104 @@
0000000103
828 193099 1
648 192999 1
869 193126 1
847 193114 1
620 192973 1
834 193105 1
551 170487 1
836 193106 1
723 193040 1
867 193128 1
607 192965 1
624 192976 1
991 193252 1
827 193098 1
861 193133 1
843 193112 1
854 193119 1
611 192967 1
890 193154 1
728 193039 1
980 193237 1
849 193115 1
806 193076 1
820 193091 1
8 11 1
845 193113 1
66 118 1
614 192966 1
610 192967 1
612 192966 1
855 193120 1
982 193236 1
884 193148 1
70 121 1
831 193102 1
856 193121 1
881 193145 1
838 193108 1
873 193138 1
851 193116 1
623 192976 1
68 120 1
605 192960 1
983 193236 1
993 193258 1
979 193234 1
816 193088 1
7 12 1
603 192960 1
981 193237 1
431 170435 1
846 193114 1
550 170486 1
649 192977 1
919 193171 1
864 193131 1
20 32 1
865 193130 1
724 193040 1
1021 193289 1
829 193101 1
868 193127 1
805 193077 1
613 192966 1
883 193147 1
647 193000 1
726 193039 1
862 193134 1
994 193258 1
549 170485 1
837 193107 1
863 193132 1
727 193039 1
409 441 1
833 193103 1
608 192965 1
650 193002 1
844 193112 1
625 192978 1
432 170436 1
67 116 1
891 193155 1
598 192959 1
850 193116 1
609 192967 1
835 193106 1
885 193149 1
725 193040 1
615 192968 1
886 193150 1
880 193144 1
606 192965 1
876 193140 1
1034 193294 1
840 193110 1
839 193108 1
832 193103 1
1020 193289 1
866 193129 1
604 192960 1
830 193102 1
875 193139 1
848 193115 1

5
test/ntcrule/full/2018-10-09/NTC_HTTP_REQ_BODY.0000050997 Normal file
View File

@@ -0,0 +1,5 @@
0000000004
1009 994 处女座从学习寻找自我 0 0 0 1
856 839 亦庄 0 0 0 1
1036 1021 金牛座&стейк&Taurus 1 0 0 1
908 891 王守仁 0 0 0 1

15
test/ntcrule/full/2018-10-09/NTC_HTTP_RES_BODY.0000050997 Normal file
View File

@@ -0,0 +1,15 @@
0000000014
845 828 girls 0 0 0 1
851 834 冰毒 0 0 0 1
857 840 冰糖 0 0 0 1
872 855 钓鱼 0 0 0 1
873 856 zmtests 0 0 0 1
878 861 斩首 0 0 0 1
907 890 2018-10-05 0 0 0 1
1006 991 李白 0 0 0 1
897 880 zmtests 0 0 0 1
890 873 zmtests 0 0 0 1
898 881 功能测试 0 0 0 1
871 854 春眠 0 0 0 1
892 875 girl 0 0 0 1
844 827 girl&is&can&a 1 0 0 1

10
test/ntcrule/full/2018-10-09/NTC_HTTP_URL.0000050997 Normal file
View File

@@ -0,0 +1,10 @@
0000000009
636 620 www.chinaso.com 0 0 0 1
855 838 www.chinaso.com 0 0 0 1
862 845 192.168.17.7:8080/website1/index.html 0 0 0 1
936 919 www.v6test.com 0 0 0 1
994 979 www.chinaso.com/search/pagesearch.htm?q 0 0 0 1
854 837 www.bing.com 0 0 0 1
893 876 www.arocmag.com 0 0 0 1
1008 993 astro.sina.com.cn/l/2013-05-24/101093841.shtml 0 0 0 1
1035 1020 www.chinaso.com 0 0 0 1

3
test/ntcrule/full/2018-10-09/NTC_MAIL_BODY.0000050997 Normal file
View File

@@ -0,0 +1,3 @@
0000000002
663 647 Content shell 0 0 0 1
640 624 Content shell 0 0 0 1

15
test/ntcrule/full/2018-10-09/NTC_MAIL_HDR.0000050997 Normal file
View File

@@ -0,0 +1,15 @@
0000000014
641 625 From @126.com 0 0 0 1
565 549 Subject sports 0 0 0 1
666 650 From whale 0 0 0 1
823 806 From gov.com 0 0 0 1
833 816 From hu_kwei@zmtests.com 0 0 0 1
639 623 From whale 0 0 0 1
566 550 Subject blogger 0 0 0 1
822 805 From ungov.com 0 0 0 1
567 551 Subject music 0 0 0 1
664 648 To hasake 0 0 0 1
837 820 To hu_kwei@zmtests.com 0 0 0 1
1049 1034 From ntc_test123@163.com 0 0 0 1
665 649 From whale 0 0 0 1
846 829 From @126.com 0 0 0 1

24
test/ntcrule/full/2018-10-09/NTC_UNIVERSAL_IP.0000050997 Normal file
View File

@@ -0,0 +1,24 @@
0000000023
977 962 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
1000 985 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
967 950 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
852 835 6 :: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 fc00::1:1f FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 0 0 1
992 977 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
863 846 4 0.0.0.0 255.255.255.255 0 65535 192.168.17.3 255.255.255.255 0 65535 0 0 1
849 832 4 0.0.0.0 255.255.255.255 0 65535 192.168.17.3 255.255.255.255 0 65535 0 0 1
995 980 4 10.11.36.59 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
931 914 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
739 723 4 10.11.36.26 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
619 603 4 10.11.36.26 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
742 726 4 10.3.57.1 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
938 921 4 10.11.36.5 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
997 982 4 10.11.36.59 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
625 609 4 10.3.57.1 255.255.255.255 2345 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
847 830 6 :: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 fc00::1:1f FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 0 0 1
865 848 4 0.0.0.0 255.255.255.255 0 65535 192.168.17.3 255.255.255.255 0 65535 0 0 1
986 971 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
628 612 4 10.3.57.1 255.255.255.255 56345 65535 10.3.57.2 255.255.255.255 179 65535 0 0 1
974 959 4 10.11.36.21 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
622 606 4 10.3.57.1 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1
867 850 6 :: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 fc00::1:1f FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 0 0 1
860 843 6 :: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 fc00::1:1f FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF 0 65535 0 0 1

24
test/ntcrule/full/2018-10-09/NTC_UNIVERSAL_PROTO_TYPE.0000050997 Normal file
View File

@@ -0,0 +1,24 @@
0000000023
939 922 21 21 1
978 963 21 21 1
743 727 20 20 1
968 951 21 21 1
996 981 5 5 1
853 836 10 10 1
629 613 20 20 1
620 604 20 20 1
626 610 20 20 1
998 983 4 4 1
864 847 7 7 1
932 915 21 21 1
987 972 21 21 1
866 849 5 5 1
861 844 7 7 1
740 724 20 20 1
993 978 21 21 1
848 831 6 6 1
1001 986 21 21 1
850 833 6 6 1
868 851 5 5 1
623 607 20 20 1
975 960 21 21 1

2
test/ntcrule/full/2018-10-09/WHITE_LIST_COMPILE.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
128 1 128 1 0 0 0 1 1 0

2
test/ntcrule/full/2018-10-09/WHITE_LIST_GROUP.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
81 128 1

2
test/ntcrule/full/2018-10-09/WHITE_LIST_IP.0000050997 Normal file
View File

@@ -0,0 +1,2 @@
0000000001
81 81 4 10.11.36.7 255.255.255.255 22222 65535 192.168.17.4 255.255.255.255 80 65535 0 0 1

26
test/ntcrule/full/index/full_config_index.0000050997 Normal file
View File

@@ -0,0 +1,26 @@
APP_COMPILE 21 ./ntcrule/full/2018-10-09/APP_COMPILE.0000050997
APP_GROUP 37 ./ntcrule/full/2018-10-09/APP_GROUP.0000050997
APP_PAYLOAD 1 ./ntcrule/full/2018-10-09/APP_PAYLOAD.0000050997
APP_POLICY 16 ./ntcrule/full/2018-10-09/APP_POLICY.0000050997
DDOS_PROTECT_TARGET_IP_CB 1 ./ntcrule/full/2018-10-09/DDOS_PROTECT_TARGET_IP_CB.0000050997
MM_AV_URL 1 ./ntcrule/full/2018-10-09/MM_AV_URL.0000050997
MM_COMPILE 1 ./ntcrule/full/2018-10-09/MM_COMPILE.0000050997
MM_GROUP 1 ./ntcrule/full/2018-10-09/MM_GROUP.0000050997
NTC_ASN_IP 1 ./ntcrule/full/2018-10-09/NTC_ASN_IP.0000050997
NTC_BGP_AS 10 ./ntcrule/full/2018-10-09/NTC_BGP_AS.0000050997
NTC_COMPILE 78 ./ntcrule/full/2018-10-09/NTC_COMPILE.0000050997
NTC_DNS_FAKE_IP_CB 3 ./ntcrule/full/2018-10-09/NTC_DNS_FAKE_IP_CB.0000050997
NTC_DNS_REGION 15 ./ntcrule/full/2018-10-09/NTC_DNS_REGION.0000050997
NTC_DNS_RES_STRATEGY 2 ./ntcrule/full/2018-10-09/NTC_DNS_RES_STRATEGY.0000050997
NTC_FTP_URL 5 ./ntcrule/full/2018-10-09/NTC_FTP_URL.0000050997
NTC_GROUP 103 ./ntcrule/full/2018-10-09/NTC_GROUP.0000050997
NTC_HTTP_REQ_BODY 4 ./ntcrule/full/2018-10-09/NTC_HTTP_REQ_BODY.0000050997
NTC_HTTP_RES_BODY 14 ./ntcrule/full/2018-10-09/NTC_HTTP_RES_BODY.0000050997
NTC_HTTP_URL 9 ./ntcrule/full/2018-10-09/NTC_HTTP_URL.0000050997
NTC_MAIL_BODY 2 ./ntcrule/full/2018-10-09/NTC_MAIL_BODY.0000050997
NTC_MAIL_HDR 14 ./ntcrule/full/2018-10-09/NTC_MAIL_HDR.0000050997
NTC_UNIVERSAL_IP 23 ./ntcrule/full/2018-10-09/NTC_UNIVERSAL_IP.0000050997
NTC_UNIVERSAL_PROTO_TYPE 23 ./ntcrule/full/2018-10-09/NTC_UNIVERSAL_PROTO_TYPE.0000050997
WHITE_LIST_COMPILE 1 ./ntcrule/full/2018-10-09/WHITE_LIST_COMPILE.0000050997
WHITE_LIST_GROUP 1 ./ntcrule/full/2018-10-09/WHITE_LIST_GROUP.0000050997
WHITE_LIST_IP 1 ./ntcrule/full/2018-10-09/WHITE_LIST_IP.0000050997

27
test/t2_tableinfo.conf Normal file
View File

@@ -0,0 +1,27 @@
#each collumn seperate with '\t'
#id (0~65535)
#name string
#type one of ip,expr,expr_plus,digest,intval,compile or plugin
#src_charset one of GBK,BIG5,UNICODE,UTF8
#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
#do_merege yes or no
#cross cache 0~max
#quickswitch quickon or quick off
#id name type src_charset dst_charset do_merge cross_cache quickswitch
0 NTC_COMPILE compile UTF8 UTF8 no 0
0 WHITE_LIST_COMPILE compile UTF8 UTF8 no 0
1 NTC_GROUP group UTF8 UTF8 no 0
1 WHITE_LIST_GROUP group UTF8 UTF8 no 0
2 NTC_UNIVERSAL_IP ip UTF8 UTF8 no 0
3 NTC_UNIVERSAL_PROTO_TYPE intval UTF8 UTF8 no 0
4 WHITE_LIST_IP ip UTF8 UTF8 no 0
7 NTC_HTTP_URL expr UTF8 UTF8 yes 0 quickoff
7 WHITE_LIST_DOMAIN expr UTF8 UTF8 yes 0 quickoff
8 NTC_HTTP_REQ_HDR expr_plus UTF8 UTF8 yes 0 quickoff
8 NTC_HTTP_RES_HDR expr_plus UTF8 UTF8 yes 0 quickoff
9 NTC_HTTP_REQ_BODY expr UTF8 UTF8/GBK/BIG5/UNICODE yes 0 quickoff
9 NTC_HTTP_RES_BODY expr UTF8 UTF8/GBK/BIG5/UNICODE yes 0 quickoff
11 NTC_MAIL_HDR expr_plus UTF8 UTF8/GBK yes 0 quickoff
12 NTC_MAIL_BODY expr_plus UTF8 UTF8/GBK yes 0 quickoff
13 NTC_FTP_URL expr UTF8 UTF8 yes 0 quickoff
14 NTC_FTP_CONTENT expr UTF8 UTF8 yes 0 quickoff

179
test/test_maatframe.cpp
View File

@@ -483,78 +483,6 @@ TEST(StringScan, OffsetChunk1460)
test_offset_str_scan_with_chunk(1460);
return;
}
TEST(StreamScan, StreamFiles)
{
#define StreamScan_StreamFiles
const char* test_data_dir="./test_streamfiles";
struct dirent **namelist;
FILE* fp=NULL;
char file_path[256]={0};
char *buff;
size_t read_len=0;
int table_id=0,ret=0;
struct Maat_rule_t result[4];
stream_para_t sp=NULL;
int n=0,i=0, hit_cnt=0;
const char* table_name="KEYWORDS_TABLE";
scan_status_t mid=NULL;
table_id=Maat_table_register(g_feather,table_name);
ASSERT_GT(table_id, 0);
n = my_scandir(test_data_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
ASSERT_GT(n, 0);
sp=Maat_stream_scan_string_start(g_feather,table_id,0);
ASSERT_FALSE(sp==NULL);
struct stat file_info;
size_t file_size=0;
for(i=0;i<n;i++)
{
if((strcmp(namelist[i]->d_name, ".") == 0) || (strcmp(namelist[i]->d_name, "..") == 0))
{
continue;
}
snprintf(file_path,sizeof(file_path),"%s/%s",test_data_dir,namelist[i]->d_name);
ret=stat(file_path, &file_info);
ASSERT_TRUE(ret==0);
file_size=file_info.st_size;
buff=(char*)malloc(file_size);
fp=fopen(file_path,"rb");
if(fp==NULL)
{
printf("fopen %s error.\n",file_path);;
continue;
}
read_len=fread(buff,1,file_size,fp);
ret=Maat_stream_scan_string(&sp,CHARSET_NONE,buff,read_len
,result, NULL, 4, &mid);
read_len=fread(buff,1,sizeof(buff),fp);
if(ret>0)
{
hit_cnt++;
}
printf("Stream Scan %s, ret=%d.\n",file_path,ret);
fclose(fp);
free(buff);
buff=NULL;
}
Maat_clean_status(&mid);
Maat_stream_scan_string_end(&sp);
EXPECT_GT(hit_cnt, 0);
for(i=0;i<n;i++)
{
free(namelist[i]);
}
free(namelist);
return;
}
void accept_tags_entry_cb(int table_id,const char* table_line,void* u_para)
{
@@ -719,6 +647,113 @@ TEST(ScanResult, LongerServiceDefine)
free(buff);
return;
}
class MaatFileTest : public testing::Test
{
protected:
static void SetUpTestCase()
{
void *logger=NULL;
const char* rule_folder="./ntcrule/full/index";
logger=MESA_create_runtime_log_handle("test_maat_file.log",0);
const char* table_info="./t2_tableinfo.conf";
_shared_feather_f=Maat_feather(g_iThreadNum, table_info, logger);
Maat_set_feather_opt(_shared_feather_f,MAAT_OPT_INSTANCE_NAME,"files", strlen("files")+1);
Maat_set_feather_opt(_shared_feather_f, MAAT_OPT_FULL_CFG_DIR, rule_folder, strlen(rule_folder)+1);
Maat_set_feather_opt(_shared_feather_f, MAAT_OPT_INC_CFG_DIR, rule_folder, strlen(rule_folder)+1);
Maat_set_feather_opt(_shared_feather_f, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
//Set a short intevral for testing.
Maat_set_feather_opt(_shared_feather_f, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
Maat_initiate_feather(_shared_feather_f);
}
static void TearDownTestCase()
{
Maat_burn_feather(_shared_feather_f);
}
// Some expensive resource shared by all tests.
static Maat_feather_t _shared_feather_f;
};
Maat_feather_t MaatFileTest::_shared_feather_f;
TEST_F(MaatFileTest, StreamFiles)
{
#define StreamScan_StreamFiles
Maat_feather_t feather=MaatFileTest::_shared_feather_f;
const char* test_data_dir="./test_streamfiles";
struct dirent **namelist;
FILE* fp=NULL;
char file_path[256]={0};
char *buff;
size_t read_len=0;
int table_id=0,ret=0;
struct Maat_rule_t result[4];
stream_para_t sp=NULL;
int n=0,i=0, hit_cnt=0;
const char* table_name="NTC_HTTP_REQ_BODY";
scan_status_t mid=NULL;
table_id=Maat_table_register(feather,table_name);
ASSERT_GT(table_id, 0);
n = my_scandir(test_data_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
ASSERT_GT(n, 0);
sp=Maat_stream_scan_string_start(feather,table_id,0);
ASSERT_FALSE(sp==NULL);
struct stat file_info;
size_t file_size=0;
for(i=0;i<n;i++)
{
if((strcmp(namelist[i]->d_name, ".") == 0) || (strcmp(namelist[i]->d_name, "..") == 0))
{
continue;
}
snprintf(file_path,sizeof(file_path),"%s/%s",test_data_dir,namelist[i]->d_name);
ret=stat(file_path, &file_info);
ASSERT_TRUE(ret==0);
file_size=file_info.st_size;
buff=(char*)malloc(file_size);
fp=fopen(file_path,"rb");
if(fp==NULL)
{
printf("fopen %s error.\n",file_path);
continue;
}
read_len=fread(buff,1,file_size,fp);
ret=Maat_stream_scan_string(&sp,CHARSET_NONE,buff,read_len
,result, NULL, 4, &mid);
read_len=fread(buff,1,sizeof(buff),fp);
if(ret>0)
{
hit_cnt++;
}
printf("Stream Scan %s, ret=%d.\n",file_path,ret);
fclose(fp);
free(buff);
buff=NULL;
}
Maat_clean_status(&mid);
Maat_stream_scan_string_end(&sp);
EXPECT_GT(hit_cnt, 0);
for(i=0;i<n;i++)
{
free(namelist[i]);
}
free(namelist);
return;
}
class MaatCmdTest : public testing::Test
{