gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#7 在Intval/Similar/Digest/IP中增加对NOT-logic命中的处理。

Browse Source
This commit is contained in:
zhengchao
2019-01-08 22:09:05 +06:00
parent deb41ea520
commit 8e242e5545
4 changed files with 92 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/entry/Maat_api.cpp
View File

@@ -1632,9 +1632,12 @@ int Maat_scan_proto_addr(Maat_feather_t feather,int table_id
_feather->scan_err_cnt++; _feather->scan_err_cnt++;
return -1; return -1;
} }
else if(region_ret>0) else if(region_ret>0 || scan_status_should_compile_NOT(_mid) )
{ {
alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); if(region_ret>0)
{
alignment_int64_array_add(table_rt->hit_cnt, thread_num,1);
}
_mid=grab_mid(mid, _feather, thread_num, 1); _mid=grab_mid(mid, _feather, thread_num, 1);
compile_ret=region_compile(_feather,_mid->inner, compile_ret=region_compile(_feather,_mid->inner,
@@ -1858,9 +1861,12 @@ int Maat_stream_scan_string_detail(stream_para_t* stream_para
{ {
hit_region_cnt=match_district(_mid,region_result,hit_region_cnt); hit_region_cnt=match_district(_mid,region_result,hit_region_cnt);
} }
if(hit_region_cnt>0) if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid))
{ {
alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num,1); if(hit_region_cnt>0)
{
alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num,1);
}
_mid=grab_mid(mid, sp->feather,sp->thread_num, 1); _mid=grab_mid(mid, sp->feather,sp->thread_num, 1);
compile_ret=region_compile(sp->feather,_mid->inner, compile_ret=region_compile(sp->feather,_mid->inner,
_mid->is_last_region, _mid->is_last_region,
@@ -2085,9 +2091,12 @@ int Maat_stream_scan_digest(stream_para_t * stream_para, const char * data, int
compile_ret=-1; compile_ret=-1;
goto fast_out; goto fast_out;
} }
if(hit_region_cnt>0) if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid))
{ {
alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num, 1); if(hit_region_cnt>0)
{
alignment_int64_array_add(table_rt->hit_cnt, sp->thread_num, 1);
}
_mid=grab_mid(mid,sp->feather, sp->thread_num,1); _mid=grab_mid(mid,sp->feather, sp->thread_num,1);
compile_ret=region_compile(sp->feather,_mid->inner, compile_ret=region_compile(sp->feather,_mid->inner,
_mid->is_last_region, _mid->is_last_region,
@@ -2197,6 +2206,7 @@ int Maat_set_scan_status(Maat_feather_t feather,scan_status_t* mid,enum MAAT_SCA
_mid->is_set_district=1; _mid->is_set_district=1;
break; break;
case MAAT_SET_SCAN_LAST_REGION: case MAAT_SET_SCAN_LAST_REGION:
assert(_mid->is_last_region==0);
_mid->is_last_region=1; _mid->is_last_region=1;
break; break;
default: default:
@@ -2211,7 +2221,7 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id
,struct Maat_rule_t*result,int rule_num ,struct Maat_rule_t*result,int rule_num
,scan_status_t* mid,int thread_num) ,scan_status_t* mid,int thread_num)
{ {
int region_ret=0,compile_ret=0; int hit_region_cnt=0,compile_ret=0;
struct _OUTER_scan_status_t* _mid=NULL; struct _OUTER_scan_status_t* _mid=NULL;
GIE_result_t region_result[MAX_SCANNER_HIT_NUM]; GIE_result_t region_result[MAX_SCANNER_HIT_NUM];
_compile_result_t compile_result[rule_num]; _compile_result_t compile_result[rule_num];
@@ -2243,21 +2253,21 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id
INC_SCANNER_REF(my_scanner,thread_num); INC_SCANNER_REF(my_scanner,thread_num);
alignment_int64_array_add(_feather->thread_call_cnt, thread_num, 1); alignment_int64_array_add(_feather->thread_call_cnt, thread_num, 1);
region_ret=GIE_query(gie_handle, data, data_len,region_result, MAX_SCANNER_HIT_NUM); hit_region_cnt=GIE_query(gie_handle, data, data_len,region_result, MAX_SCANNER_HIT_NUM);
if(region_ret<0) if(hit_region_cnt<0)
{ {
DEC_SCANNER_REF(my_scanner, thread_num); DEC_SCANNER_REF(my_scanner, thread_num);
_feather->scan_err_cnt++; _feather->scan_err_cnt++;
return -1; return -1;
} }
else if(region_ret>0) else if(hit_region_cnt>0 || scan_status_should_compile_NOT(_mid))
{ {
alignment_int64_array_add(table_rt->hit_cnt, thread_num,1); alignment_int64_array_add(table_rt->hit_cnt, thread_num,1);
_mid=grab_mid(mid, _feather, thread_num, 1); _mid=grab_mid(mid, _feather, thread_num, 1);
compile_ret=region_compile(_feather,_mid->inner, compile_ret=region_compile(_feather,_mid->inner,
_mid->is_last_region, _mid->is_last_region,
region_result,sizeof(GIE_result_t),offsetof(GIE_result_t, tag), region_result,sizeof(GIE_result_t),offsetof(GIE_result_t, tag),
region_ret, hit_region_cnt,
result,compile_result,rule_num, result,compile_result,rule_num,
thread_num); thread_num);
assert(_mid->is_last_region<2); assert(_mid->is_last_region<2);
@@ -2277,7 +2287,7 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id
{ {
maat_stat_table(table_rt,0,NULL, NULL,thread_num); maat_stat_table(table_rt,0,NULL, NULL,thread_num);
} }
if(compile_ret==0&&region_ret>0) if(compile_ret==0&&hit_region_cnt>0)
{ {
return -2; return -2;
} }

2
src/entry/Maat_stat.cpp
View File

@@ -73,7 +73,7 @@ void maat_stat_init(struct _Maat_feather_t* feather)
feather->fs_status_id[STATUS_INNER_MID_NUM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"inner_mid"); feather->fs_status_id[STATUS_INNER_MID_NUM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"inner_mid");
feather->fs_status_id[STATUS_ZOMBIE_RS_STREAM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"z_stream"); feather->fs_status_id[STATUS_ZOMBIE_RS_STREAM]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"z_stream");
feather->fs_status_id[STATUS_ORPHAN_GROUP_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"only_grp_sv"); feather->fs_status_id[STATUS_ORPHAN_GROUP_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"orphan_grp_sv");
feather->fs_status_id[STATUS_LAST_REGION_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"last_rgn_sv"); feather->fs_status_id[STATUS_LAST_REGION_SAVING]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"last_rgn_sv");
feather->fs_status_id[STATUS_TOTAL_SCAN_LEN]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"scan_bytes"); feather->fs_status_id[STATUS_TOTAL_SCAN_LEN]=FS_register(feather->stat_handle, FS_STYLE_STATUS, FS_CALC_CURRENT,"scan_bytes");

30
test/maat_json.json
View File

@@ -655,6 +655,36 @@
] ]
} }
] ]
},
{
"compile_id": 145,
"service": 1,
"action": 1,
"do_blacklist": 1,
"do_log": 1,
"user_region": "NOT-logic-test3",
"is_valid": "yes",
"groups": [
{
"not_flag":0,
"regions": [
{
"table_name": "HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "must-contained-string-of-rule-145",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
},
{
"not_flag":1,
"group_name": "IP_group"
}
]
} }
], ],
"plugin_table": [ "plugin_table": [

46
test/test_maatframe.cpp
View File

@@ -349,7 +349,6 @@ TEST(NOTLogic, ScanNotAtLast)
TEST(NOTLogic, ScanIrrelavantAtLast) TEST(NOTLogic, ScanIrrelavantAtLast)
{ {
const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-144."; const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-144.";
const char* string_should_not_hit="This string contains both must-contained-string-of-rule-144 and must-not-contained-string-of-rule-144.";
const char* string_irrelevant="This string contiains nothing to hit."; const char* string_irrelevant="This string contiains nothing to hit.";
int ret=0; int ret=0;
int table_id=0; int table_id=0;
@@ -363,13 +362,10 @@ TEST(NOTLogic, ScanIrrelavantAtLast)
ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_hit, strlen(string_should_hit), ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_hit, strlen(string_should_hit),
result,found_pos, 4, &mid, 0); result,found_pos, 4, &mid, 0);
EXPECT_GE(ret, -2); EXPECT_GE(ret, -2);
/*
table_id=Maat_table_register(g_feather,not_hit_table_name);
ASSERT_GT(table_id, 0);
ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_not_hit, strlen(string_should_not_hit), table_id=Maat_table_register(g_feather, not_hit_table_name);
result,found_pos, 4, &mid, 0); ASSERT_GT(table_id, 0);
EXPECT_GE(ret, -2);*/
Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0); Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0);
ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_irrelevant, strlen(string_irrelevant), ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_irrelevant, strlen(string_irrelevant),
result,found_pos, 4, &mid, 0); result,found_pos, 4, &mid, 0);
@@ -377,6 +373,42 @@ TEST(NOTLogic, ScanIrrelavantAtLast)
EXPECT_EQ(ret, 1); EXPECT_EQ(ret, 1);
Maat_clean_status(&mid); Maat_clean_status(&mid);
}
TEST(NOTLogic, ScanNotIP)
{
const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-145.";
int ret=0;
int table_id=0;
struct Maat_rule_t result[4];
int found_pos[4];
const char* hit_table_name="HTTP_URL", *not_hit_table_name="IP_CONFIG";
scan_status_t mid=NULL;
table_id=Maat_table_register(g_feather,hit_table_name);
ASSERT_GT(table_id, 0);
ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, string_should_hit, strlen(string_should_hit),
result,found_pos, 4, &mid, 0);
EXPECT_GE(ret, -2);
struct ipaddr ipv4_addr;
struct stream_tuple4_v4 v4_addr;
ipv4_addr.addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,"10.0.6.205",&(v4_addr.saddr));
v4_addr.source=htons(50001);
inet_pton(AF_INET,"10.0.6.201",&(v4_addr.daddr));
v4_addr.dest=htons(80);
ipv4_addr.v4=&v4_addr;
table_id=Maat_table_register(g_feather, not_hit_table_name);
ASSERT_GT(table_id, 0);
Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid,0);
EXPECT_EQ(ret, -2);
Maat_clean_status(&mid);
} }
TEST(Helper, ReadColumn) TEST(Helper, ReadColumn)