diff --git a/src/entry/Maat_api.cpp b/src/entry/Maat_api.cpp index f9334e9..d6c0132 100644 --- a/src/entry/Maat_api.cpp +++ b/src/entry/Maat_api.cpp @@ -1632,9 +1632,12 @@ int Maat_scan_proto_addr(Maat_feather_t feather,int table_id _feather->scan_err_cnt++; return -1; } - else if(region_ret>0) + else if(region_ret>0 || scan_status_should_compile_NOT(_mid) ) { - alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); + if(region_ret>0) + { + alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); + } _mid=grab_mid(mid, _feather, thread_num, 1); compile_ret=region_compile(_feather,_mid->inner, @@ -1858,9 +1861,12 @@ int Maat_stream_scan_string_detail(stream_para_t* stream_para { hit_region_cnt=match_district(_mid,region_result,hit_region_cnt); } - if(hit_region_cnt>0) + if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid)) { - alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num,1); + if(hit_region_cnt>0) + { + alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num,1); + } _mid=grab_mid(mid, sp->feather,sp->thread_num, 1); compile_ret=region_compile(sp->feather,_mid->inner, _mid->is_last_region, @@ -2085,9 +2091,12 @@ int Maat_stream_scan_digest(stream_para_t * stream_para, const char * data, int compile_ret=-1; goto fast_out; } - if(hit_region_cnt>0) + if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid)) { - alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num, 1); + if(hit_region_cnt>0) + { + alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num, 1); + } _mid=grab_mid(mid,sp->feather, sp->thread_num,1); compile_ret=region_compile(sp->feather,_mid->inner, _mid->is_last_region, @@ -2197,6 +2206,7 @@ int Maat_set_scan_status(Maat_feather_t feather,scan_status_t* mid,enum MAAT_SCA _mid->is_set_district=1; break; case MAAT_SET_SCAN_LAST_REGION: + assert(_mid->is_last_region==0); _mid->is_last_region=1; break; default: @@ -2211,7 +2221,7 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id ,struct Maat_rule_t*result,int rule_num ,scan_status_t* mid,int thread_num) { - int region_ret=0,compile_ret=0; + int hit_region_cnt=0,compile_ret=0; struct _OUTER_scan_status_t* _mid=NULL; GIE_result_t region_result[MAX_SCANNER_HIT_NUM]; _compile_result_t compile_result[rule_num]; @@ -2243,21 +2253,21 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id INC_SCANNER_REF(my_scanner,thread_num); alignment_int64_array_add(_feather->thread_call_cnt, thread_num, 1); - region_ret=GIE_query(gie_handle, data, data_len,region_result, MAX_SCANNER_HIT_NUM); - if(region_ret<0) + hit_region_cnt=GIE_query(gie_handle, data, data_len,region_result, MAX_SCANNER_HIT_NUM); + if(hit_region_cnt<0) { DEC_SCANNER_REF(my_scanner, thread_num); _feather->scan_err_cnt++; return -1; } - else if(region_ret>0) + else if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid)) { alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); _mid=grab_mid(mid, _feather, thread_num, 1); compile_ret=region_compile(_feather,_mid->inner, _mid->is_last_region, region_result,sizeof(GIE_result_t),offsetof(GIE_result_t, tag), - region_ret, + hit_region_cnt, result,compile_result,rule_num, thread_num); assert(_mid->is_last_region<2); @@ -2277,7 +2287,7 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id { maat_stat_table(table_rt,0,NULL, NULL,thread_num); } - if(compile_ret==0&®ion_ret>0) + if(compile_ret==0&&hit_region_cnt>0) { return -2; } diff --git a/src/entry/Maat_stat.cpp b/src/entry/Maat_stat.cpp index b85d60b..4d8b04a 100644 --- a/src/entry/Maat_stat.cpp +++ b/src/entry/Maat_stat.cpp @@ -73,7 +73,7 @@ void maat_stat_init(struct _Maat_feather_t* feather) feather->fs_status_id[STATUS_INNER_MID_NUM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"inner_mid"); feather->fs_status_id[STATUS_ZOMBIE_RS_STREAM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"z_stream"); - feather->fs_status_id[STATUS_ORPHAN_GROUP_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"only_grp_sv"); + feather->fs_status_id[STATUS_ORPHAN_GROUP_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"orphan_grp_sv"); feather->fs_status_id[STATUS_LAST_REGION_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"last_rgn_sv"); feather->fs_status_id[STATUS_TOTAL_SCAN_LEN]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"scan_bytes"); diff --git a/test/maat_json.json b/test/maat_json.json index a19439d..a13ec5f 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -655,6 +655,36 @@ ] } ] + }, + { + "compile_id": 145, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "user_region": "NOT-logic-test3", + "is_valid": "yes", + "groups": [ + { + "not_flag":0, + "regions": [ + { + "table_name": "HTTP_URL", + "table_type": "string", + "table_content": { + "keywords": "must-contained-string-of-rule-145", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "not_flag":1, + "group_name": "IP_group" + } + ] } ], "plugin_table": [ diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp index 9da835e..1e13b58 100644 --- a/test/test_maatframe.cpp +++ b/test/test_maatframe.cpp @@ -349,7 +349,6 @@ TEST(NOTLogic, ScanNotAtLast) TEST(NOTLogic, ScanIrrelavantAtLast) { const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-144."; - const char* string_should_not_hit="This string contains both must-contained-string-of-rule-144 and must-not-contained-string-of-rule-144."; const char* string_irrelevant="This string contiains nothing to hit."; int ret=0; int table_id=0; @@ -363,13 +362,10 @@ TEST(NOTLogic, ScanIrrelavantAtLast) ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_hit, strlen(string_should_hit), result,found_pos, 4, &mid, 0); EXPECT_GE(ret, -2); - /* - table_id=Maat_table_register(g_feather,not_hit_table_name); - ASSERT_GT(table_id, 0); - ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_not_hit, strlen(string_should_not_hit), - result,found_pos, 4, &mid, 0); - EXPECT_GE(ret, -2);*/ + table_id=Maat_table_register(g_feather, not_hit_table_name); + ASSERT_GT(table_id, 0); + Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0); ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_irrelevant, strlen(string_irrelevant), result,found_pos, 4, &mid, 0); @@ -377,6 +373,42 @@ TEST(NOTLogic, ScanIrrelavantAtLast) EXPECT_EQ(ret, 1); Maat_clean_status(&mid); +} +TEST(NOTLogic, ScanNotIP) +{ + const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-145."; + int ret=0; + int table_id=0; + struct Maat_rule_t result[4]; + int found_pos[4]; + const char* hit_table_name="HTTP_URL", *not_hit_table_name="IP_CONFIG"; + scan_status_t mid=NULL; + table_id=Maat_table_register(g_feather,hit_table_name); + ASSERT_GT(table_id, 0); + + ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_hit, strlen(string_should_hit), + result,found_pos, 4, &mid, 0); + EXPECT_GE(ret, -2); + + struct ipaddr ipv4_addr; + struct stream_tuple4_v4 v4_addr; + ipv4_addr.addrtype=ADDR_TYPE_IPV4; + inet_pton(AF_INET,"10.0.6.205",&(v4_addr.saddr)); + v4_addr.source=htons(50001); + inet_pton(AF_INET,"10.0.6.201",&(v4_addr.daddr)); + v4_addr.dest=htons(80); + ipv4_addr.v4=&v4_addr; + + table_id=Maat_table_register(g_feather, not_hit_table_name); + ASSERT_GT(table_id, 0); + + Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0); + ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid,0); + + + EXPECT_EQ(ret, -2); + Maat_clean_status(&mid); + } TEST(Helper, ReadColumn)