gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

store history pattern ids at expr_matcher after hs/rs stream scan, instead of storing them during hs/rs scan

Browse Source
This commit is contained in:
root
2024-10-28 10:44:22 +00:00
parent abd00a9aab
commit 9d72c83e9f
8 changed files with 319 additions and 228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
test/expr_matcher_gtest.cpp
View File

@@ -303,7 +303,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_normal_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello aaa";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -360,7 +360,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_normal_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello aaa";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -417,7 +417,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_left_unlimit_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello bbb";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -475,7 +475,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_left_unlimit_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello bbb";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -533,7 +533,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_right_unlimit_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ccc";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -600,7 +600,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_right_unlimit_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ccc";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -667,7 +667,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_no_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ddd";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -725,7 +725,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_no_offset)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ddd";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -783,7 +783,7 @@ TEST(hs_expr_matcher_match, literal_exactly)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello eee";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -831,7 +831,7 @@ TEST(rs_expr_matcher_match, literal_exactly)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello eee";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -880,7 +880,7 @@ TEST(hs_expr_matcher_match, literal_prefix)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello fff";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -940,7 +940,7 @@ TEST(rs_expr_matcher_match, literal_prefix)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello fff";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1000,7 +1000,7 @@ TEST(hs_expr_matcher_match, literal_suffix)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ggg";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1060,7 +1060,7 @@ TEST(rs_expr_matcher_match, literal_suffix)
expr_array_free(rules, n_rule);
char scan_data1[64] = "hello ggg";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1120,7 +1120,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_hex)
expr_array_free(rules, n_rule);
char scan_data1[64] = "Content-Type: /html";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1159,7 +1159,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_hex)
expr_array_free(rules, n_rule);
char scan_data1[64] = "Content-Type: /html";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1198,7 +1198,7 @@ TEST(hs_expr_matcher_match, literal_with_chinese)
expr_array_free(rules, n_rule);
char data0[64] = "#中国 你好";
struct expr_scan_result result0[64] = {0};
uuid_t result0[64] = {0};
size_t n_result0 = 0;
size_t n_hit_pattern = 0;
@@ -1227,7 +1227,7 @@ TEST(rs_expr_matcher_match, literal_with_chinese)
expr_array_free(rules, n_rule);
char data0[64] = "#中国 你好";
struct expr_scan_result result0[64] = {0};
uuid_t result0[64] = {0};
size_t n_result0 = 0;
size_t n_hit_pattern = 0;
@@ -1256,7 +1256,7 @@ TEST(hs_expr_matcher_match, same_pattern_different_offset)
expr_array_free(rules, n_rule);
char data[64] = "onetoday,anothertoday";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1285,7 +1285,7 @@ TEST(rs_expr_matcher_match, same_pattern_different_offset)
expr_array_free(rules, n_rule);
char data[64] = "onetoday,anothertoday";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1316,7 +1316,7 @@ TEST(hs_expr_matcher_match, long_scan_data)
const char* scan_data = "A directed path in a directed graph is a finite or infinite\
sequence of edges which joins a sequence of distinct vertices, but with the added restriction\
that the edges be all directed in the same direction.";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1347,7 +1347,7 @@ TEST(rs_expr_matcher_match, long_scan_data)
const char* scan_data = "A directed path in a directed graph is a finite or infinite\
sequence of edges which joins a sequence of distinct vertices, but with the added restriction\
that the edges be all directed in the same direction.";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1396,7 +1396,7 @@ TEST(hs_expr_matcher_stream, basic)
const char *scan_data2 = " or infinite sequence of edges which joins a "
"sequence of distinct vertices";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_hit_result = 0;
size_t n_hit_pattern = 0;
int thread_id = 0;
@@ -1440,7 +1440,7 @@ TEST(rs_expr_matcher_stream, basic)
const char *scan_data2 = " or infinite sequence of edges which joins a "
"sequence of distinct vertices";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_hit_result = 0;
size_t n_hit_pattern = 0;
int thread_id = 0;
@@ -1485,7 +1485,7 @@ TEST(hs_expr_matcher, regex_basic)
const char *scan_data1 = "http://www.cyberessays.com/search_results.php?"
"action=search&query=username,abckkk,1234567";
//const char *scan_data2 = "8rain";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1518,7 +1518,7 @@ TEST(rs_expr_matcher, regex_basic)
const char *scan_data1 = "http://www.cyberessays.com/search_results.php?"
"action=search&query=username,abckkk,1234567";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1547,7 +1547,7 @@ TEST(hs_expr_matcher, regex_unicode)
expr_array_free(rules, n_rule);
const char *scan_data = "string contains É";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1575,7 +1575,7 @@ TEST(rs_expr_matcher, regex_unicode)
expr_array_free(rules, n_rule);
const char *scan_data = "string contains É";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;
@@ -1604,7 +1604,7 @@ TEST(hs_expr_matcher, hit_pattern_num)
const char *scan_data1 = "string has one two";
const char *scan_data2 = "string has one two three";
struct expr_scan_result result[64] = {0};
uuid_t result[64] = {0};
size_t n_result = 0;
size_t n_hit_pattern = 0;

66
test/maat_framework_gtest.cpp
View File

@@ -1241,14 +1241,14 @@ TEST_F(HsStringScan, StreamHitDirectObject) {
int ret;
struct maat *maat_inst = HsStringScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
const char *table_name = "HTTP_URL";
const char *attribute_name = "HTTP_URL";
const char *table_name_url = "HTTP_URL";
const char *attribute_name_url = "HTTP_URL";
const char *scan_data1 = "www.3300av.com";
const char *scan_data2 = "sdadhuadhasdgufgh;sdfhjaufhiwebfiusdafhaos;dhfaluhjweh";
memset(results, 0, sizeof(results));
struct maat_stream *sp = maat_stream_new(maat_inst, table_name, attribute_name, state);
struct maat_stream *sp = maat_stream_new(maat_inst, table_name_url, attribute_name_url, state);
ASSERT_TRUE(sp != NULL);
ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results,
@@ -1265,7 +1265,7 @@ TEST_F(HsStringScan, StreamHitDirectObject) {
uuid_unparse(object_array[0].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000112");
ret = maat_scan_not_logic(maat_inst, table_name, attribute_name, results, ARRAY_SIZE,
ret = maat_scan_not_logic(maat_inst, table_name_url, attribute_name_url, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
@@ -1274,10 +1274,46 @@ TEST_F(HsStringScan, StreamHitDirectObject) {
EXPECT_EQ(ret, MAAT_SCAN_OK);
ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE);
EXPECT_EQ(ret, 0);
maat_stream_free(sp);
maat_state_reset(state);
const char *attribute_name_sig = "HTTP_SIGNATURE";
const char *table_name_sig = "HTTP_SIGNATURE";
const char *scan_data3 = "abckkk";
const char *scan_data4 = "123";
sp = maat_stream_new(maat_inst, table_name_sig, attribute_name_sig, state);
ASSERT_TRUE(sp != NULL);
ret = maat_stream_scan(sp, scan_data3, strlen(scan_data3), results,
ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), results,
ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
uuid_unparse(results[0], uuid_str);
EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000128");
ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE);
EXPECT_EQ(ret, 1);
uuid_unparse(object_array[0].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000107");
ret = maat_scan_not_logic(maat_inst, table_name_sig, attribute_name_sig, results, ARRAY_SIZE,
&n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_OK);
ret = maat_stream_scan(sp, scan_data4, strlen(scan_data4), results,
ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT);//rule has been hit before
ret = maat_state_get_direct_hit_objects(state, object_array, ARRAY_SIZE);
EXPECT_EQ(ret, 1);
uuid_unparse(object_array[0].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000107");
maat_stream_free(sp);
maat_state_free(state);
state = NULL;
}
@@ -8775,7 +8811,7 @@ TEST_F(MaatCmd, HitObject) {
memset(hit_objects, 0, sizeof(hit_objects));
n_hit_object = maat_state_get_direct_hit_object_cnt(state);
maat_state_get_direct_hit_objects(state, hit_objects, n_hit_object);
EXPECT_EQ(n_hit_object, 2);
EXPECT_EQ(n_hit_object, 1);
uuid_unparse(hit_objects[0].item_uuid, uuid_str);
EXPECT_STREQ(uuid_str, item5_uuid_str);
@@ -8783,15 +8819,9 @@ TEST_F(MaatCmd, HitObject) {
EXPECT_STREQ(uuid_str, object1_uuid_str);
EXPECT_STREQ(hit_objects[0].attribute_name, keywords_attr_name);
uuid_unparse(hit_objects[1].item_uuid, uuid_str);
EXPECT_STREQ(uuid_str, item4_uuid_str);
uuid_unparse(hit_objects[1].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, object4_uuid_str);
EXPECT_STREQ(hit_objects[1].attribute_name, keywords_attr_name);
n_last_hit_object = maat_state_get_last_hit_object_cnt(state);
maat_state_get_last_hit_objects(state, last_hit_objects, 128);
EXPECT_EQ(n_last_hit_object, 3);
EXPECT_EQ(n_last_hit_object, 2);
uuid_unparse(last_hit_objects[0].item_uuid, uuid_str);
EXPECT_STREQ(uuid_str, item5_uuid_str);
@@ -8799,16 +8829,10 @@ TEST_F(MaatCmd, HitObject) {
EXPECT_STREQ(uuid_str, object1_uuid_str);
EXPECT_STREQ(last_hit_objects[0].attribute_name, keywords_attr_name);
uuid_unparse(last_hit_objects[1].item_uuid, uuid_str);
EXPECT_STREQ(uuid_str, item4_uuid_str);
EXPECT_TRUE(uuid_is_null(last_hit_objects[1].item_uuid));
uuid_unparse(last_hit_objects[1].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, object4_uuid_str);
EXPECT_STREQ(last_hit_objects[1].attribute_name, keywords_attr_name);
EXPECT_TRUE(uuid_is_null(last_hit_objects[2].item_uuid));
uuid_unparse(last_hit_objects[2].object_uuid, uuid_str);
EXPECT_STREQ(uuid_str, object11_uuid_str);
EXPECT_STREQ(last_hit_objects[2].attribute_name, keywords_attr_name);
EXPECT_STREQ(last_hit_objects[1].attribute_name, keywords_attr_name);
maat_stream_free(stream);
maat_state_free(state);