diff --git a/src/inc_internal/maat_compile.h b/src/inc_internal/maat_compile.h index da07eff..ce55083 100644 --- a/src/inc_internal/maat_compile.h +++ b/src/inc_internal/maat_compile.h @@ -54,7 +54,7 @@ int compile_runtime_update(void *compile_runtime, void *compile_schema, int compile_runtime_commit(void *compile_runtime, const char *table_name); int compile_runtime_match(struct compile_runtime *compile_rt, long long *compile_ids, - size_t compile_ids_size, struct maat_state *state); + int ids_index, size_t compile_ids_size, struct maat_state *state); size_t compile_runtime_get_hit_paths(struct compile_runtime *compile_rt, struct group2group_runtime *g2g_rt, diff --git a/src/maat_api.c b/src/maat_api.c index eab2c80..33388a9 100644 --- a/src/maat_api.c +++ b/src/maat_api.c @@ -915,11 +915,11 @@ static inline int scan_status_should_compile_NOT(struct maat_state *state) return 0; } -size_t hit_group_to_compile(void *compile_runtime, long long *compile_ids, size_t compile_ids_size, - struct maat_state *mid) +size_t hit_group_to_compile(void *compile_runtime, long long *compile_ids, int ids_index, + size_t compile_ids_size, struct maat_state *mid) { size_t n_hit_compile = compile_runtime_match((struct compile_runtime *)compile_runtime, - compile_ids, compile_ids_size, mid); + compile_ids, ids_index, compile_ids_size, mid); return n_hit_compile; } @@ -1181,7 +1181,7 @@ size_t group_to_compile(struct maat *maat_instance, long long *results, size_t n for (size_t i = 0; i < compile_table_cnt; i++) { void *compile_rt = table_manager_get_runtime(maat_instance->tbl_mgr, compile_table_id[i]); - size_t n_hit_compile = hit_group_to_compile(compile_rt, results, n_result, mid); + size_t n_hit_compile = hit_group_to_compile(compile_rt, results, sum_hit_compile_cnt, n_result, mid); sum_hit_compile_cnt += n_hit_compile; } diff --git a/src/maat_bool_plugin.c b/src/maat_bool_plugin.c index ca7e6e9..852cfe1 100644 --- a/src/maat_bool_plugin.c +++ b/src/maat_bool_plugin.c @@ -36,7 +36,6 @@ struct bool_plugin_runtime { struct ex_data_runtime *ex_data_rt; uint32_t rule_num; - uint32_t updating_rule_num; struct maat_garbage_bin *ref_garbage_bin; struct log_handle *logger; @@ -474,16 +473,15 @@ int bool_plugin_runtime_get_ex_data(void *bool_plugin_runtime, unsigned long lon } struct bool_plugin_runtime *bool_plugin_rt = (struct bool_plugin_runtime *)bool_plugin_runtime; - if (NULL == bool_plugin_rt->matcher) { - log_info(bool_plugin_rt->logger, MODULE_BOOL_PLUGIN, - "bool_matcher is NULL, can't get ex data"); - return -1; + if (0 == bool_plugin_rt->rule_num) { + return 0; } struct bool_expr_match results[n_ex_data]; memset(results, 0, sizeof(results)); n_item = ull_dedup(item_ids, n_item); + assert(bool_plugin_rt->matcher != NULL); int n_result = bool_matcher_match(bool_plugin_rt->matcher, item_ids, n_item, results, n_ex_data); for (int i = 0; i < n_result; i++) { ex_data_array[i] = ex_data_runtime_get_ex_data_by_container(bool_plugin_rt->ex_data_rt, diff --git a/src/maat_compile.c b/src/maat_compile.c index 6aa6602..1dd01ad 100644 --- a/src/maat_compile.c +++ b/src/maat_compile.c @@ -74,7 +74,6 @@ struct compile_runtime { unsigned long long clause_id_generator; uint32_t rule_num; - uint32_t updating_rule_num; pthread_rwlock_t rwlock; /* TODO: replaced with mutex? */ struct bool_expr_match *expr_match_buff; @@ -963,7 +962,7 @@ maat_compile_bool_matcher_new(struct maat_compile *compile_hash, #if 0 struct maat_literal_id *p = NULL; for(p = (struct maat_literal_id *)utarray_front(compile->clause_states[i].literal_ids); p!=NULL; p=(struct maat_literal_id *)utarray_next(compile->clause_states[i].literal_ids,p)) { - printf(" compile_id:%llu, clause_id:%llu, literal{%llu: %d}\n", + printf(" compile_id:%lld, clause_id:%llu, literal{%lld: %d}\n", compile->compile_id, compile->clause_states[i].clause_id, p->group_id, p->vtable_id); } #endif @@ -1102,17 +1101,14 @@ size_t maat_compile_bool_matcher_match(struct bool_matcher *bm, int is_last_scan size_t n_this_scan_hit_item = compile_state->this_scan_hit_item_cnt; if ((compile->not_clause_cnt > 0) && (LAST_SCAN_UNSET == is_last_scan)) { compile_state->not_clause_hitted_flag = 1; - } - - //TODO: not_clause - if (compile->user_data) { - if (n_new_hit_compile > 0 || 0 == n_this_scan_hit_item) { + } else if (compile->user_data) { + if (n_new_hit_compile > 0 || 0 == n_this_scan_hit_item) { /* compile hit because of new item or - hit a compile that refer a NOT-logic group in previous scan */ + hit a compile that refer a NOT-logic group in previous scan */ user_data_array[ud_result_cnt] = compile->user_data; ud_result_cnt++; } - } + } } compile_state->this_scan_hit_item_cnt = 0; @@ -1123,6 +1119,7 @@ int maat_add_group_to_compile(struct maat_compile **compile_hash, struct group2c struct log_handle *logger) { int ret = -1; + struct maat_compile *compile = maat_compile_hash_find(compile_hash, g2c_item->compile_id); if (!compile) { compile = maat_compile_new(g2c_item->compile_id); @@ -1746,9 +1743,8 @@ static int compare_compile_rule(const void *a, const void *b) return compile_sort_para_compare(&sa, &sb); } -int compile_runtime_match(struct compile_runtime *compile_rt, - long long *compile_ids, size_t compile_ids_size, - struct maat_state *state) +int compile_runtime_match(struct compile_runtime *compile_rt, long long *compile_ids, + int ids_index, size_t compile_ids_size, struct maat_state *state) { struct maat_compile_state *compile_state = state->compile_state; int is_last_scan = state->is_last_scan; @@ -1767,7 +1763,7 @@ int compile_runtime_match(struct compile_runtime *compile_rt, } for (size_t i = 0; i < bool_match_ret; i++) { - compile_ids[i] = compile_rules[i]->compile_id; + compile_ids[ids_index + i] = compile_rules[i]->compile_id; } return MIN(bool_match_ret, compile_ids_size); diff --git a/src/maat_expr.c b/src/maat_expr.c index 4c8819d..26982de 100644 --- a/src/maat_expr.c +++ b/src/maat_expr.c @@ -77,7 +77,7 @@ struct expr_runtime { struct group2group_runtime *ref_g2g_rt; uint32_t rule_num; - uint32_t updating_rule_num; + struct maat_item *item_hash; void (*item_user_data_free)(void *); @@ -850,9 +850,9 @@ int expr_runtime_commit(void *expr_runtime, const char *table_name) int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id, const char *data, size_t data_len, int vtable_id, struct maat_state *state) { - if (NULL == expr_rt || thread_id < 0 || NULL == data || 0 == data_len - || vtable_id < 0 || NULL == state) { - return -1; + if (0 == expr_rt->rule_num) { + //empty expr table + return 0; } size_t n_hit_item = 0; @@ -919,9 +919,9 @@ int expr_runtime_stream_open(struct expr_runtime *expr_rt, int thread_id) int expr_runtime_stream_scan(struct expr_runtime *expr_rt, const char *data, size_t data_len, int vtable_id, struct maat_state *state) { - if (NULL == expr_rt || NULL == data || 0 == data_len || - vtable_id < 0 || NULL == state) { - return -1; + if (0 == expr_rt->rule_num) { + //empty expr table + return 0; } size_t n_hit_item = 0; diff --git a/src/maat_flag.c b/src/maat_flag.c index 9f3ebfb..7bda84e 100644 --- a/src/maat_flag.c +++ b/src/maat_flag.c @@ -47,7 +47,7 @@ struct flag_runtime { struct rcu_hash_table *htable; uint32_t rule_num; - uint32_t updating_rule_num; + struct maat_item *item_hash; void (*item_user_data_free)(void *); @@ -450,6 +450,11 @@ int flag_runtime_commit(void *flag_runtime, const char *table_name) int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id, long long flag, int vtable_id, struct maat_state *state) { + if (0 == flag_rt->rule_num) { + //empty flag table + return 0; + } + struct flag_result hit_results[MAX_SCANNER_HIT_ITEM_NUM] = {0}; int n_hit_item = flag_matcher_match(flag_rt->matcher, flag, diff --git a/src/maat_fqdn.c b/src/maat_fqdn.c index 93ab01d..80f3fef 100644 --- a/src/maat_fqdn.c +++ b/src/maat_fqdn.c @@ -26,7 +26,7 @@ struct fqdn_runtime { struct rcu_hash_table *htable; uint32_t rule_num; - uint32_t updating_rule_num; + struct maat_item *item_hash; void (*item_user_data_free)(void *); diff --git a/src/maat_fqdn_plugin.c b/src/maat_fqdn_plugin.c index 6b86536..4fbd380 100644 --- a/src/maat_fqdn_plugin.c +++ b/src/maat_fqdn_plugin.c @@ -38,7 +38,6 @@ struct fqdn_plugin_runtime { struct ex_data_runtime *ex_data_rt; uint32_t rule_num; - uint32_t updating_rule_num; struct maat_garbage_bin *ref_garbage_bin; struct log_handle *logger; @@ -456,15 +455,14 @@ int fqdn_plugin_runtime_get_ex_data(void *fqdn_plugin_runtime, const char *query } struct fqdn_plugin_runtime *fqdn_plugin_rt = (struct fqdn_plugin_runtime *)fqdn_plugin_runtime; - if (NULL == fqdn_plugin_rt->engine) { - log_info(fqdn_plugin_rt->logger, MODULE_FQDN_PLUGIN, - "fqdn_engine is NULL, can't get ex data"); - return -1; + if (0 == fqdn_plugin_rt->rule_num) { + return 0; } struct FQDN_match results[n_ex_data]; memset(results, 0, sizeof(results)); + assert(fqdn_plugin_rt->engine != NULL); int n_result = FQDN_engine_search(fqdn_plugin_rt->engine, query_fqdn, strlen(query_fqdn), results, n_ex_data); for (int i = 0; i < n_result; i++) { ex_data_array[i] = ex_data_runtime_get_ex_data_by_container(fqdn_plugin_rt->ex_data_rt, diff --git a/src/maat_group.c b/src/maat_group.c index 0917246..a77a256 100644 --- a/src/maat_group.c +++ b/src/maat_group.c @@ -61,7 +61,6 @@ struct group2group_runtime { struct maat_group_topology *group_topo; uint32_t rule_num; - uint32_t updating_rule_num; pthread_rwlock_t rwlock; struct maat_garbage_bin *ref_garbage_bin; diff --git a/src/maat_interval.c b/src/maat_interval.c index 73f3856..fc3085a 100644 --- a/src/maat_interval.c +++ b/src/maat_interval.c @@ -44,7 +44,7 @@ struct interval_runtime { struct rcu_hash_table *htable; uint32_t rule_num; - uint32_t updating_rule_num; + struct maat_item *item_hash; void (*item_user_data_free)(void *); @@ -447,6 +447,11 @@ int interval_runtime_commit(void *interval_runtime, const char *table_name) int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id, long long integer, int vtable_id, struct maat_state *state) { + if (0 == interval_rt->rule_num) { + //empty interval table + return 0; + } + struct interval_result hit_results[MAX_SCANNER_HIT_ITEM_NUM] = {0}; int n_hit_item = interval_matcher_match(interval_rt->matcher, integer, diff --git a/src/maat_ip.c b/src/maat_ip.c index 7eaf900..a21b170 100644 --- a/src/maat_ip.c +++ b/src/maat_ip.c @@ -59,7 +59,7 @@ struct ip_runtime { struct ex_data_runtime* ex_data_rt; uint32_t rule_num; - uint32_t updating_rule_num; + struct maat_item *item_hash; void (*item_user_data_free)(void *); @@ -486,6 +486,10 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name) int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, uint8_t *ip_addr, int vtable_id, struct maat_state *state) { + if (0 == ip_rt->rule_num) { + //empty ip table + return 0; + } int n_hit_item = 0; struct scan_result scan_results[MAX_SCANNER_HIT_ITEM_NUM] = {0}; diff --git a/src/maat_ip_plugin.c b/src/maat_ip_plugin.c index d275421..ea31189 100644 --- a/src/maat_ip_plugin.c +++ b/src/maat_ip_plugin.c @@ -42,7 +42,6 @@ struct ip_plugin_runtime { struct ex_data_runtime *ex_data_rt; uint32_t rule_num; - uint32_t updating_rule_num; struct maat_garbage_bin *ref_garbage_bin; struct log_handle *logger; @@ -501,10 +500,8 @@ int ip_plugin_runtime_get_ex_data(void *ip_plugin_runtime, const struct ip_addr } struct ip_plugin_runtime *ip_plugin_rt = (struct ip_plugin_runtime *)ip_plugin_runtime; - if (NULL == ip_plugin_rt->ip_matcher) { - log_info(ip_plugin_rt->logger, MODULE_IP_PLUGIN, - "ip_matcher is NULL, can't get ex data"); - return -1; + if (0 == ip_plugin_rt->rule_num) { + return 0; } struct scan_result results[n_ex_data]; @@ -517,6 +514,7 @@ int ip_plugin_runtime_get_ex_data(void *ip_plugin_runtime, const struct ip_addr ipv6_ntoh(ip_data.ipv6); } + assert(ip_plugin_rt->ip_matcher != NULL); int n_result = ip_matcher_match(ip_plugin_rt->ip_matcher, &ip_data, results, n_ex_data); for (int i = 0; i < n_result; i++) { ex_data_array[i] = ex_data_runtime_get_ex_data_by_container(ip_plugin_rt->ex_data_rt, diff --git a/src/maat_plugin.c b/src/maat_plugin.c index afff71e..ac1f7cc 100644 --- a/src/maat_plugin.c +++ b/src/maat_plugin.c @@ -32,7 +32,6 @@ struct plugin_runtime { struct ex_data_runtime *ex_data_rt; uint32_t rule_num; - uint32_t updating_rule_num; struct maat_garbage_bin *ref_garbage_bin; struct log_handle *logger; diff --git a/src/maat_table.c b/src/maat_table.c index dba9f3f..7c79f10 100644 --- a/src/maat_table.c +++ b/src/maat_table.c @@ -306,17 +306,31 @@ static int register_tablename2id(cJSON *json, struct maat_kv_store *tablename2id __FUNCTION__, __LINE__, table_id); return -1; } - } - } - if (strlen(item->valuestring) >= NAME_MAX) { - log_error(logger, MODULE_TABLE, - "[%s:%d] table(table_id:%d) name %s length too long", - __FUNCTION__, __LINE__, table_id, item->valuestring); - return -1; + if (strlen(tmp_item->valuestring) >= NAME_MAX) { + log_error(logger, MODULE_TABLE, + "[%s:%d] table(table_id:%d) name %s length too long", + __FUNCTION__, __LINE__, table_id, tmp_item->valuestring); + return -1; + } + + maat_kv_register(tablename2id_map, tmp_item->valuestring, table_id); + log_info(logger, MODULE_TABLE, "tablename[%s] -> table_id:[%d]", + tmp_item->valuestring, table_id); + } + } else { + //cJSON_String + if (strlen(item->valuestring) >= NAME_MAX) { + log_error(logger, MODULE_TABLE, + "[%s:%d] table(table_id:%d) name %s length too long", + __FUNCTION__, __LINE__, table_id, item->valuestring); + return -1; + } + + maat_kv_register(tablename2id_map, item->valuestring, table_id); + log_info(logger, MODULE_TABLE, "table_name[%s] -> table_id:[%d]", + item->valuestring, table_id); } - - maat_kv_register(tablename2id_map, item->valuestring, table_id); return 0; } @@ -341,20 +355,14 @@ struct maat_table *maat_table_new(cJSON *json, struct maat_kv_store *reserved_wo ptable->table_id = item->valueint; item = cJSON_GetObjectItem(json, "table_name"); - if (NULL == item || (item->type != cJSON_String && item->type != cJSON_Array)) { - log_error(logger, MODULE_TABLE, - "[%s:%d] table(table_id:%d) has no table name", - __FUNCTION__, __LINE__, ptable->table_id); - goto error; + // already validate in register_tablename2id + if (item->type == cJSON_Array) { + cJSON *tmp_item = cJSON_GetArrayItem(item, 0); + memcpy(ptable->table_name, tmp_item->valuestring, strlen(tmp_item->valuestring)); + } else { + //cJSON_String + memcpy(ptable->table_name, item->valuestring, strlen(item->valuestring)); } - - if (strlen(item->valuestring) >= NAME_MAX) { - log_error(logger, MODULE_TABLE, - "[%s:%d] table(table_id:%d) name %s length too long", - __FUNCTION__, __LINE__, ptable->table_id, item->valuestring); - goto error; - } - memcpy(ptable->table_name, item->valuestring, strlen(item->valuestring)); item = cJSON_GetObjectItem(json, "table_type"); if (NULL == item || item->type != cJSON_String) { diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 44f328a..e42f02a 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -602,9 +602,8 @@ TEST_F(MaatIPScan, IPv4) { ret = maat_scan_ipv4(g_maat_instance, table_id, 0, sip, results, ARRAY_SIZE, &n_hit_result, &state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 2); - EXPECT_EQ(results[0], 169); - EXPECT_EQ(results[1], 154); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 154); maat_state_free(&state); } @@ -641,9 +640,8 @@ TEST_F(MaatIPScan, dynamic_config) { struct maat_state *state = NULL; ret = maat_scan_ipv4(g_maat_instance, table_id, 0, sip, results, ARRAY_SIZE, &n_hit_result, &state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 169); + EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); maat_state_free(&state); /* add new line in GROUP2COMPILE table */ @@ -680,9 +678,8 @@ TEST_F(MaatIPScan, dynamic_config) { ret = maat_scan_ipv4(g_maat_instance, table_id, 0, sip, results, ARRAY_SIZE, &n_hit_result, &state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 2); + EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 9998); - EXPECT_EQ(results[1], 169); maat_state_free(&state); /* del new line in IP_PLUS_CONFIG */ @@ -778,32 +775,161 @@ protected: } }; -TEST_F(NOTLogic, ScanNotAtLast) { - const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; - const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-144 and must-not-contained-string-of-rule-144."; - +TEST_F(NOTLogic, OneRegion) { + const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-143."; + const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-143 and must-not-contained-string-of-rule-143."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = NULL; - const char *hit_table_name = "HTTP_URL_LITERAL"; - const char *not_hit_table_name = "KEYWORDS_TABLE"; - int hit_table_id = maat_get_table_id(g_maat_instance, hit_table_name); - int not_hit_table_id = maat_get_table_id(g_maat_instance, not_hit_table_name); + const char *table_name = "HTTP_URL_LITERAL"; - int ret = maat_scan_string(g_maat_instance, hit_table_id, 0, string_should_hit, strlen(string_should_hit), + int table_id = maat_get_table_id(g_maat_instance, table_name); + maat_state_set_last_scan(g_maat_instance, &state); + int ret = maat_scan_string(g_maat_instance, table_id, 0, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, &state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 144); - - maat_state_set_last_scan(g_maat_instance, &state); - ret = maat_scan_string(g_maat_instance, not_hit_table_id, 0, string_should_not_hit, strlen(string_should_not_hit), + EXPECT_EQ(results[0], 143); + maat_state_free(&state); + + maat_state_set_last_scan(g_maat_instance, &state); + ret = maat_scan_string(g_maat_instance, table_id, 0, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, &state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_free(&state); } +TEST_F(NOTLogic, ScanNotAtLast) { + const char *string_should_hit="This string ONLY contains must-contained-string-of-rule-144."; + const char *string_should_not_hit="This string contains both must-contained-string-of-rule-144 and must-not-contained-string-of-rule-144."; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *hit_table_name = "HTTP_URL_LITERAL"; + const char *not_hit_table_name = "KEYWORDS_TABLE"; + + int hit_table_id = maat_get_table_id(g_maat_instance, hit_table_name); + ASSERT_GT(hit_table_id, 0); + + int ret = maat_scan_string(g_maat_instance, hit_table_id, 0, string_should_hit, strlen(string_should_hit), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int not_hit_table_id = maat_get_table_id(g_maat_instance, not_hit_table_name); + ASSERT_GT(not_hit_table_id, 0); + + maat_state_set_last_scan(g_maat_instance, &state); + ret = maat_scan_string(g_maat_instance, not_hit_table_id, 0, string_should_not_hit, strlen(string_should_not_hit), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + maat_state_free(&state); +} + +TEST_F(NOTLogic, ScanIrrelavantAtLast) { + const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; + const char *string_irrelevant = "This string contiains nothing to hit."; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *hit_table_name = "HTTP_URL_LITERAL"; + const char *not_hit_table_name = "KEYWORDS_TABLE"; + + int hit_table_id = maat_get_table_id(g_maat_instance, hit_table_name); + ASSERT_GT(hit_table_id, 0); + + int ret = maat_scan_string(g_maat_instance, hit_table_id, 0, string_should_hit, strlen(string_should_hit), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int not_hit_table_id = maat_get_table_id(g_maat_instance, not_hit_table_name); + ASSERT_GT(hit_table_id, 0); + + maat_state_set_last_scan(g_maat_instance, &state); + ret = maat_scan_string(g_maat_instance, not_hit_table_id, 0, string_irrelevant, strlen(string_irrelevant), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 144); + maat_state_free(&state); +} + +TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { + const char *string_should_not_hit = "This string should not hit."; + const char *string_match_no_region = "This string is matched against a empty table."; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *not_hit_table_name = "HTTP_URL_LITERAL"; + const char *hit_table_name = "IP_PLUS_CONFIG"; + const char *empty_table_name = "EMPTY_KEYWORD"; + + int not_hit_table_id = maat_get_table_id(g_maat_instance, not_hit_table_name); + ASSERT_GT(not_hit_table_id, 0); + + int ret = maat_scan_string(g_maat_instance, not_hit_table_id, 0, string_should_not_hit, strlen(string_should_not_hit), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + uint32_t sip; + inet_pton(AF_INET, "10.0.8.186", &sip); + + int hit_table_id = maat_get_table_id(g_maat_instance, hit_table_name); + ASSERT_GT(hit_table_id, 0); + + ret = maat_scan_ipv4(g_maat_instance, hit_table_id, 0, sip, + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int empty_table_id = maat_get_table_id(g_maat_instance, empty_table_name); + ASSERT_GT(empty_table_id, 0); + + maat_state_set_last_scan(g_maat_instance, &state); + ret = maat_scan_string(g_maat_instance, empty_table_id, 0, string_match_no_region, strlen(string_match_no_region), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 186); + maat_state_free(&state); +} + +TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { + const char *string_should_not_hit = "This string should not hit."; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *not_hit_table_name = "HTTP_URL_LITERAL"; + const char *hit_table_name = "IP_PLUS_CONFIG"; + const char *empty_table_name = "EMPTY_INTERGER"; + + int not_hit_table_id = maat_get_table_id(g_maat_instance, not_hit_table_name); + ASSERT_GT(not_hit_table_id, 0); + + int ret = maat_scan_string(g_maat_instance, not_hit_table_id, 0, string_should_not_hit, strlen(string_should_not_hit), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + + uint32_t sip; + inet_pton(AF_INET, "10.0.8.187", &sip); + + int hit_table_id = maat_get_table_id(g_maat_instance, hit_table_name); + ASSERT_GT(hit_table_id, 0); + + ret = maat_scan_ipv4(g_maat_instance, hit_table_id, 0, sip, + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int empty_table_id = maat_get_table_id(g_maat_instance, empty_table_name); + ASSERT_GT(empty_table_id, 0); + + maat_state_set_last_scan(g_maat_instance, &state); + ret = maat_scan_integer(g_maat_instance, empty_table_id, 0, 2015, + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(results[0], 187); + maat_state_free(&state); +} + void maat_read_entry_start_cb(int update_type, void *u_para) { @@ -1301,6 +1427,27 @@ TEST_F(CompileTable, CompileRuleUpdate) { EXPECT_EQ(ret, 1); } +TEST_F(CompileTable, Conjunction) { + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *scan_data = "i.ytimg.com/vi/OtCNcustg_I/hqdefault.jpg?sqp=-oaymwEZCNACELwBSFXyq4qpAwsIARUAAIhCGAFwAQ==&rs=AOn4CLDOp_5fHMaCA9XZuJdCRv4DNDorMg"; + const char *table_name = "HTTP_URL_LITERAL"; + const char *compile_tables[2] = {"COMPILE", "COMPILE_ALIAS"}; + + int table_id = maat_get_table_id(g_maat_instance, table_name); + ASSERT_GT(table_id, 0); + + maat_state_set_scan_compile_tables(g_maat_instance, &state, compile_tables, 2); + int ret = maat_scan_string(g_maat_instance, table_id, 0, scan_data, strlen(scan_data), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 2); + EXPECT_EQ(results[0], 197); + EXPECT_EQ(results[1], 141); + maat_state_free(&state); +} + class Policy : public testing::Test { protected: @@ -1471,6 +1618,41 @@ TEST_F(Policy, ReadColumn) { EXPECT_EQ(0, strncmp(tmp, line+offset, len)); } +class TableInfo : public testing::Test +{ +protected: + static void SetUpTestCase() { + + } + + static void TearDownTestCase() { + + } +}; + +TEST_F(TableInfo, Conjunction) { + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = NULL; + const char *scan_data = "soq is using table conjunction function.http://www.3300av.com/novel/27122.txt"; + const char *table_name = "HTTP_URL_LITERAL"; + const char *conj_table_name = "HTTP_HOST_LITERAL"; + + int table_id = maat_get_table_id(g_maat_instance, table_name); + ASSERT_GT(table_id, 0); + + int conj_table_id = maat_get_table_id(g_maat_instance, conj_table_name); + ASSERT_GT(conj_table_id, 0); + + int ret = maat_scan_string(g_maat_instance, conj_table_id, 0, scan_data, strlen(scan_data), + results, ARRAY_SIZE, &n_hit_result, &state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 2); + EXPECT_EQ(results[0], 134); + EXPECT_EQ(results[1], 133); + maat_state_free(&state); +} + class MaatCmdTest : public testing::Test { protected: diff --git a/test/maat_json.json b/test/maat_json.json index 9bdc634..e1cdcd9 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -1541,44 +1541,6 @@ } ] }, - { - "compile_id": 169, - "service": 0, - "action": 0, - "do_blacklist": 0, - "do_log": 0, - "effective_rage": 0, - "user_region": "IPScan.IPv4_Any", - "is_valid": "yes", - "groups": [ - { - "regions": [ - { - "table_type": "ip_plus", - "table_name": "IP_PLUS_CONFIG", - "table_content": { - "addr_type": "ipv4", - "saddr_format": "CIDR", - "src_ip1": "0.0.0.0", - "src_ip2": "0", - "sport_format": "mask", - "src_port1": "20304", - "src_port2": "65535", - "daddr_format": "CIDR", - "dst_ip1": "0.0.0.0", - "dst_ip2": "0", - "dport_format": "range", - "dst_port1": "0", - "dst_port2": "0", - "protocol": 6, - "direction": "single" - } - } - ], - "not_flag" : 0 - } - ] - }, { "compile_id": 170, "service": 0, @@ -2434,6 +2396,32 @@ ] } ] + }, + { + "compile_id": 197, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "user_region": "Something:I\\bhave\\ba\\bname,8866", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "HTTP_URL_LITERAL", + "table_type": "expr", + "table_content": { + "keywords": "hqdefault.jpg", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] } ], "plugin_table": [