gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

如果扫描无规则数值类型的table时直接返回,导致未进行非表达式的运算。

Browse Source
This commit is contained in:
liuxueli
2021-08-20 14:44:09 +08:00
parent d86d220f33
commit c84fb97aae
4 changed files with 257 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/entry/Maat_api.cpp
View File

@@ -1544,12 +1544,8 @@ int Maat_scan_intval(Maat_feather_t feather,int table_id
return 0; return 0;
} }
struct Maat_table_runtime* table_rt=Maat_table_runtime_get(my_scanner->table_rt_mgr, p_table->table_id); struct Maat_table_runtime* table_rt=Maat_table_runtime_get(my_scanner->table_rt_mgr, p_table->table_id);
if(table_rt->origin_rule_num>0) // Even no rule in table, we still need to search for NOT compile.
// Even no rule in table, we still need to search for NOT compile. {
// if(table_rt->origin_rule_num==0)
// {
// return 0;
// }
if(p_table->table_type==TABLE_TYPE_INTERVAL_PLUS&&(_mid==NULL||_mid->is_set_district!=1)) if(p_table->table_type==TABLE_TYPE_INTERVAL_PLUS&&(_mid==NULL||_mid->is_set_district!=1))
{ {
_feather->scan_err_cnt++; _feather->scan_err_cnt++;
@@ -1576,7 +1572,9 @@ int Maat_scan_intval(Maat_feather_t feather,int table_id
_feather->scan_err_cnt++; _feather->scan_err_cnt++;
return -1; return -1;
} }
else if(region_ret>0 || scan_status_should_compile_NOT(_mid)) }
if(region_ret>0 || scan_status_should_compile_NOT(_mid))
{ {
if(region_ret>0) if(region_ret>0)
{ {

114
test/maat_json.json
View File

@@ -2117,7 +2117,7 @@
"is_valid": "yes", "is_valid": "yes",
"groups": [ "groups": [
{ {
"not_flag":1, "not_flag": 1,
"regions": [ "regions": [
{ {
"table_name": "HTTP_URL", "table_name": "HTTP_URL",
@@ -2138,9 +2138,9 @@
"table_name": "IP_PLUS_CONFIG", "table_name": "IP_PLUS_CONFIG",
"table_content": { "table_content": {
"addr_type": "ipv4", "addr_type": "ipv4",
"saddr_format": "CIDR", "saddr_format": "range",
"src_ip1": "10.0.8.18", "src_ip1": "10.0.8.186",
"src_ip2": "10.0.8.18", "src_ip2": "10.0.8.186",
"sport_format": "range", "sport_format": "range",
"src_port1": "18611", "src_port1": "18611",
"src_port2": "18611", "src_port2": "18611",
@@ -2155,7 +2155,111 @@
} }
} }
], ],
"not_flag" : 0 "not_flag": 0
}
]
},
{
"compile_id": 187,
"service": 1,
"action": 1,
"do_blacklist": 1,
"do_log": 1,
"user_region": "NOTLogic.ScanHitAtLast",
"is_valid": "yes",
"groups": [
{
"not_flag": 1,
"regions": [
{
"table_name": "HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "must-not-contained-string-of-rule-187",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
},
{
"regions": [
{
"table_type": "ip_plus",
"table_name": "IP_PLUS_CONFIG",
"table_content": {
"addr_type": "ipv4",
"saddr_format": "range",
"src_ip1": "10.0.8.187",
"src_ip2": "10.0.8.187",
"sport_format": "range",
"src_port1": "18611",
"src_port2": "18611",
"daddr_format": "range",
"dst_ip1": "10.0.8.20",
"dst_ip2": "10.0.8.20",
"dport_format": "range",
"dst_port1": "80",
"dst_port2": "80",
"protocol": 6,
"direction": "single"
}
}
],
"not_flag": 0
}
]
},
{
"compile_id": 188,
"service": 1,
"action": 1,
"do_blacklist": 1,
"do_log": 1,
"user_region": "NOTLogic.ScanHitAtLast",
"is_valid": "yes",
"groups": [
{
"not_flag": 1,
"regions": [
{
"table_name": "HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "must-not-contained-string-of-rule-188",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
},
{
"regions": [
{
"table_type": "ip_plus",
"table_name": "IP_PLUS_CONFIG",
"table_content": {
"addr_type": "ipv4",
"saddr_format": "range",
"src_ip1": "10.0.8.188",
"src_ip2": "10.0.8.188",
"sport_format": "range",
"src_port1": "18611",
"src_port2": "18611",
"daddr_format": "range",
"dst_ip1": "10.0.8.20",
"dst_ip2": "10.0.8.20",
"dport_format": "range",
"dst_port1": "80",
"dst_port2": "80",
"protocol": 6,
"direction": "single"
}
}
],
"not_flag": 0
} }
] ]
} }

2
test/table_info.conf
View File

@@ -60,3 +60,5 @@
37 VIRTUAL_SSL_SNI virtual ["KEYWORDS_TABLE","INTERGER_PLUS"] -- 37 VIRTUAL_SSL_SNI virtual ["KEYWORDS_TABLE","INTERGER_PLUS"] --
38 APP_ID intval -- 38 APP_ID intval --
39 EMPTY_KEYWORD expr UTF8 UTF8 yes 0 39 EMPTY_KEYWORD expr UTF8 UTF8 yes 0
40 EMPTY_INTERGER intval UTF8 UTF8 yes 0
10 EMPTY_SIMILAR similar --

96
test/test_maatframe.cpp
View File

@@ -1114,7 +1114,7 @@ TEST(NOTLogic, ScanIrrelavantAtLast)
Maat_clean_status(&mid); Maat_clean_status(&mid);
} }
TEST(NOTLogic, ScanHitAtLast) TEST(NOTLogic, ScanHitAtLastEmptyExpr)
{ {
const char* string_should_not_hit="This string should not hit."; const char* string_should_not_hit="This string should not hit.";
const char* string_match_no_region="This string is matched against a empty table."; const char* string_match_no_region="This string is matched against a empty table.";
@@ -1134,7 +1134,7 @@ TEST(NOTLogic, ScanHitAtLast)
struct ipaddr ipv4_addr; struct ipaddr ipv4_addr;
struct stream_tuple4_v4 v4_addr; struct stream_tuple4_v4 v4_addr;
ipv4_addr.addrtype=ADDR_TYPE_IPV4; ipv4_addr.addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,"10.0.8.18",&(v4_addr.saddr)); inet_pton(AF_INET,"10.0.8.186",&(v4_addr.saddr));
v4_addr.source=htons(18611); v4_addr.source=htons(18611);
inet_pton(AF_INET,"10.0.8.20",&(v4_addr.daddr)); inet_pton(AF_INET,"10.0.8.20",&(v4_addr.daddr));
v4_addr.dest=htons(80); v4_addr.dest=htons(80);
@@ -1161,6 +1161,98 @@ TEST(NOTLogic, ScanHitAtLast)
} }
TEST(NOTLogic, ScanHitAtLastEmptyInteger)
{
const char* string_should_not_hit="This string should not hit.";
const char* string_match_no_region="This string is matched against a empty table.";
int ret=0;
int table_id=0;
struct Maat_rule_t result[4];
int found_pos[4];
const char* not_hit_table_name="HTTP_URL", *hit_table_name1="IP_PLUS_CONFIG", *empty_table_name="EMPTY_INTERGER";
scan_status_t mid=NULL;
table_id=Maat_table_register(g_feather, not_hit_table_name);
ASSERT_GT(table_id, 0);
ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, string_should_not_hit, strlen(string_should_not_hit),
result, found_pos, 4, &mid, 0);
EXPECT_GE(ret, 0);
struct ipaddr ipv4_addr;
struct stream_tuple4_v4 v4_addr;
ipv4_addr.addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,"10.0.8.187",&(v4_addr.saddr));
v4_addr.source=htons(18611);
inet_pton(AF_INET,"10.0.8.20",&(v4_addr.daddr));
v4_addr.dest=htons(80);
ipv4_addr.v4=&v4_addr;
table_id=Maat_table_register(g_feather, hit_table_name1);
ASSERT_GT(table_id, 0);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid,0);
EXPECT_EQ(ret, -2);
table_id=Maat_table_register(g_feather, empty_table_name);
ASSERT_GT(table_id, 0);
Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0);
ret=Maat_scan_intval(g_feather, table_id, 2015, result, 4, &mid, 0);
EXPECT_EQ(ret, 1);
EXPECT_EQ(result[0].config_id, 187);
Maat_clean_status(&mid);
}
TEST(NOTLogic, ScanHitAtLastEmptySimilar)
{
const char* string_should_not_hit="This string should not hit.";
const char* string_match_no_region="This string is matched against a empty table.";
int ret=0;
int table_id=0;
struct Maat_rule_t result[4];
int found_pos[4];
const char* not_hit_table_name="HTTP_URL", *hit_table_name1="IP_PLUS_CONFIG", *empty_table_name="EMPTY_SIMILAR";
scan_status_t mid=NULL;
table_id=Maat_table_register(g_feather, not_hit_table_name);
ASSERT_GT(table_id, 0);
ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, string_should_not_hit, strlen(string_should_not_hit),
result, found_pos, 4, &mid, 0);
EXPECT_GE(ret, 0);
struct ipaddr ipv4_addr;
struct stream_tuple4_v4 v4_addr;
ipv4_addr.addrtype=ADDR_TYPE_IPV4;
inet_pton(AF_INET,"10.0.8.188",&(v4_addr.saddr));
v4_addr.source=htons(18611);
inet_pton(AF_INET,"10.0.8.20",&(v4_addr.daddr));
v4_addr.dest=htons(80);
ipv4_addr.v4=&v4_addr;
table_id=Maat_table_register(g_feather, hit_table_name1);
ASSERT_GT(table_id, 0);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid,0);
EXPECT_EQ(ret, -2);
table_id=Maat_table_register(g_feather, empty_table_name);
ASSERT_GT(table_id, 0);
Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION, NULL, 0);
ret=Maat_similar_scan_string(g_feather, table_id, string_match_no_region, strlen(string_match_no_region), result, 4,&mid, 0);
EXPECT_EQ(ret, 1);
EXPECT_EQ(result[0].config_id, 188);
Maat_clean_status(&mid);
}
TEST(NOTLogic, ScanNotIP) TEST(NOTLogic, ScanNotIP)
{ {
const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-145."; const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-145.";