gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[patch]maat not handle regex string

Browse Source
This commit is contained in:
liuwentan
2023-05-10 13:33:50 +08:00
parent e97adb8b97
commit 7ce971902d
4 changed files with 19 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/inc_internal/maat_utils.h
View File

@@ -94,8 +94,6 @@ int load_file_to_memory(const char *file_name, unsigned char **pp_out, size_t *o
char *strtok_r_esc(char *s, const char delim, char **save_ptr); char *strtok_r_esc(char *s, const char delim, char **save_ptr);
char *str_unescape_and(char *s);
char *str_unescape(char *s); char *str_unescape(char *s);
char *md5_file(const char *filename, char *md5string); char *md5_file(const char *filename, char *md5string);

9
src/maat_expr.c
View File

@@ -624,7 +624,6 @@ int expr_item_to_expr_rule(struct expr_item *expr_item, struct expr_rule *expr_r
switch (expr_item->expr_type) { switch (expr_item->expr_type) {
case EXPR_TYPE_AND: case EXPR_TYPE_AND:
case EXPR_TYPE_REGEX:
for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) { for (i = 0, pos = expr_item->keywords; ; i++, pos = NULL) {
tmp = strtok_r_esc(pos, '&', &saveptr); tmp = strtok_r_esc(pos, '&', &saveptr);
if (NULL == tmp) { if (NULL == tmp) {
@@ -639,12 +638,8 @@ int expr_item_to_expr_rule(struct expr_item *expr_item, struct expr_rule *expr_r
} }
sub_key_array[i] = tmp; sub_key_array[i] = tmp;
if (expr_item->expr_type == EXPR_TYPE_REGEX) {
sub_key_array[i] = str_unescape_and(sub_key_array[i]);
} else {
sub_key_array[i] = str_unescape(sub_key_array[i]); sub_key_array[i] = str_unescape(sub_key_array[i]);
} }
}
sub_expr_cnt = i; sub_expr_cnt = i;
break; break;
case EXPR_TYPE_OFFSET: case EXPR_TYPE_OFFSET:
@@ -689,6 +684,10 @@ int expr_item_to_expr_rule(struct expr_item *expr_item, struct expr_rule *expr_r
sub_key_array[0] = expr_item->keywords; sub_key_array[0] = expr_item->keywords;
sub_key_array[0] = str_unescape(sub_key_array[0]); sub_key_array[0] = str_unescape(sub_key_array[0]);
break; break;
case EXPR_TYPE_REGEX:
sub_expr_cnt = 1;
sub_key_array[0] = expr_item->keywords;
break;
default: default:
log_error(logger, MODULE_EXPR, log_error(logger, MODULE_EXPR,
"[%s:%d]abandon config expr_item(item_id:%lld) has invalid expr type=%d", "[%s:%d]abandon config expr_item(item_id:%lld) has invalid expr type=%d",

19
src/maat_utils.c
View File

@@ -170,25 +170,6 @@ char *strtok_r_esc(char *s, const char delim, char **save_ptr)
return s; return s;
} }
char *str_unescape_and(char *s)
{
size_t i = 0;
size_t j = 0;
for (i = 0,j = 0; i < strlen(s); i++) {
if (s[i] == '\\' && s[i+1] == '&') {
s[j] = '&';
i++;
j++;
} else {
s[j] = s[i];
j++;
}
}
s[j] = '\0';
return s;
}
char *str_unescape(char *s) char *str_unescape(char *s)
{ {
size_t i=0; size_t i=0;

14
test/regex_expr.conf
View File

@@ -92,6 +92,20 @@
"pattern": "123^abc" "pattern": "123^abc"
} }
] ]
},
{
"rule_id": 306,
"pattern_num": 1,
"patterns": [
{
"pattern_type": "regex",
"match_method": "sub",
"case_sensitive": "no",
"is_hexbin": "no",
"pattern": "^[1-9]\d{5}(18|19|([23]\d))\d{2}((0[1-9])|(10|11|12))(([0-2][1-9])|10|20|30|31)\d{3}[0-9Xx]$"
}
]
} }
] ]
} }