#include #include #include #include "test_utils.h" #include "maat.h" #include "maat_rule.h" #include "maat_utils.h" #include "maat_command.h" #include "ip_matcher.h" #include "json2iris.h" #include "log/log.h" #include "maat_config_monitor.h" #include "maat_redis_monitor.h" #define MODULE_FRAMEWORK_GTEST module_name_str("maat.framework_gtest") #define ARRAY_SIZE 10 #define HIT_PATH_SIZE 128 #define WAIT_FOR_EFFECTIVE_S 2 const char *g_table_info_path = "./table_info.conf"; const char *g_json_filename = "maat_json.json"; size_t g_thread_num = 4; int test_add_expr_command(struct maat *maat_inst, const char *expr_table, long long compile_id, int timeout, const char *keywords) { char huge_serv_def[1024 * 2] = {0}; memset(huge_serv_def, 's', sizeof(huge_serv_def) - 1); huge_serv_def[sizeof(huge_serv_def) - 1] = '\0'; int ret = compile_table_set_line(maat_inst, "COMPILE_DEFAULT", MAAT_OP_ADD, compile_id, huge_serv_def, 1, timeout); EXPECT_EQ(ret, 1); long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, "GROUP2COMPILE_DEFAULT", MAAT_OP_ADD, group_id, compile_id, 0, expr_table, 1, timeout); EXPECT_EQ(ret, 1); long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, expr_table, MAAT_OP_ADD, item_id, group_id, keywords, "null", 1, 0, 0, 0); EXPECT_EQ(ret, 1); return ret; } int del_command(struct maat *maat_inst, int compile_id) { return compile_table_set_line(maat_inst, "COMPILE_DEFAULT", MAAT_OP_DEL, compile_id, "null", 1, 0); } const char *watched_json = "./json_update/maat.json"; const char *old_json = "./json_update/old.json"; const char *new_json = "./json_update/new.json"; const char *corrupted_json = "./json_update/corrupted.json"; const char *json_decrypt_key = "himaat!"; const char *tmp_gzipped_file_name = "./json_update/tmp_gzipped_json.gz"; class JsonUpdate : public testing::Test { protected: static void SetUpTestCase() { system_cmd_gzip(old_json, tmp_gzipped_file_name); system_cmd_encrypt(tmp_gzipped_file_name, watched_json, json_decrypt_key); int scan_interval_ms = 500; logger = log_handle_create("./maat_framework_gtest.log", 0); struct maat_options *opts = maat_options_new(); maat_options_set_instance_name(opts, "firewall"); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_perf_on(opts); maat_options_set_json_file(opts, watched_json); maat_options_set_json_file_gzip_flag(opts, 1); maat_options_set_json_file_decrypt_key(opts, json_decrypt_key); maat_options_set_rule_update_checking_interval_ms(opts, scan_interval_ms); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in JsonUpdate failed.", __FUNCTION__, __LINE__); assert(0); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *JsonUpdate::_shared_maat_inst; struct log_handle *JsonUpdate::logger; void scan_with_old_or_new_cfg(struct maat *maat_inst, int is_old) { const char *hit_old_data = "Hello world! I'm eve."; const char *hit_new_data = "Maat was borned in MESA."; const char *table_name = "HTTP_URL"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, hit_old_data, strlen(hit_old_data), results, ARRAY_SIZE, &n_hit_result, state); if (is_old) { EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_TRUE(results[0] == 1); } else { EXPECT_EQ(ret, MAAT_SCAN_OK); } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, table_id, hit_new_data, strlen(hit_new_data), results, ARRAY_SIZE, &n_hit_result, state); if (!is_old) { EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 2); } else { EXPECT_EQ(ret, MAAT_SCAN_OK); } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(JsonUpdate, OldCfg) { scan_with_old_or_new_cfg(JsonUpdate::_shared_maat_inst, 1); } TEST_F(JsonUpdate, NewCfg) { system_cmd_gzip(corrupted_json, tmp_gzipped_file_name); system_cmd_encrypt(tmp_gzipped_file_name, watched_json, json_decrypt_key); sleep(2); scan_with_old_or_new_cfg(JsonUpdate::_shared_maat_inst, 1); system_cmd_gzip(new_json, tmp_gzipped_file_name); int ret = system_cmd_encrypt(tmp_gzipped_file_name, watched_json, json_decrypt_key); EXPECT_EQ(ret, 0); sleep(5); scan_with_old_or_new_cfg(JsonUpdate::_shared_maat_inst, 0); } class FlagScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_hit_path_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in FlagScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *FlagScan::_shared_maat_inst; struct log_handle *FlagScan::logger; TEST_F(FlagScan, basic) { const char *flag_table_name = "FLAG_CONFIG"; struct maat *maat_inst = FlagScan::_shared_maat_inst; int flag_table_id = maat_get_table_id(maat_inst, flag_table_name); //compile_id:192 flag: 0000 0001 mask: 0000 0011 //scan_data: 0000 1001 or 0000 1101 should hit long long scan_data = 9; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_flag(maat_inst, flag_table_id, scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 207); EXPECT_EQ(results[1], 192); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_reset(state); scan_data = 13; memset(results, 0, sizeof(results)); n_hit_result = 0; ret = maat_scan_flag(maat_inst, flag_table_id, scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 207); EXPECT_EQ(results[1], 192); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); scan_data = 6; memset(results, 0, sizeof(results)); n_hit_result = 0; ret = maat_scan_flag(maat_inst, flag_table_id, scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(FlagScan, withExprRegion) { const char *flag_table_name = "FLAG_CONFIG"; const char *expr_table_name = "HTTP_URL"; struct maat *maat_inst = FlagScan::_shared_maat_inst; int flag_table_id = maat_get_table_id(maat_inst, flag_table_name); int expr_table_id = maat_get_table_id(maat_inst, expr_table_name); //compile_id:193 flag: 0000 0010 mask: 0000 0011 //scan_data: 0000 0010 or 0000 0100 should hit long long flag_scan_data = 2; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); const char *expr_scan_data = "hello world"; ret = maat_scan_string(maat_inst, expr_table_id, expr_scan_data, strlen(expr_scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 193); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(FlagScan, hitMultiCompile) { const char *flag_table_name = "FLAG_CONFIG"; struct maat *maat_inst = FlagScan::_shared_maat_inst; int flag_table_id = maat_get_table_id(maat_inst, flag_table_name); //compile_id:192 flag: 0000 0001 mask: 0000 0011 //compile_id:194 flag: 0001 0101 mask: 0001 1111 //scan_data: 0001 0101 should hit compile192 and compile194 long long flag_scan_data = 21; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 3); EXPECT_EQ(results[0], 207); EXPECT_EQ(results[1], 194); EXPECT_EQ(results[2], 192); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); memset(results, 0, sizeof(results)); ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_free(state); state = NULL; } TEST_F(FlagScan, hitRepeatedCompile) { const char *flag_table_name = "FLAG_CONFIG"; struct maat *maat_inst = FlagScan::_shared_maat_inst; int flag_table_id = maat_get_table_id(maat_inst, flag_table_name); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); //compile_id:192 flag: 0000 0001 mask: 0000 0011 //scan_data: 0000 1001 or 0000 1101 should hit long long flag_scan_data1 = 9; int ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 207); EXPECT_EQ(results[1], 192); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //compile_id:192 flag: 0000 0001 mask: 0000 0011 //compile_id:194 flag: 0001 0101 mask: 0001 1111 //scan_data: 0001 0101 should hit compile192 and compile194 long long flag_scan_data2 = 21; memset(results, 0, sizeof(results)); ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data2, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 194); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); memset(results, 0, sizeof(results)); ret = maat_scan_flag(maat_inst, flag_table_id, flag_scan_data2, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_free(state); state = NULL; } TEST_F(FlagScan, FlagPlus) { const char *flag_table_name = "FLAG_PLUS_CONFIG"; const char *district_str = "I love China"; struct maat *maat_inst = FlagScan::_shared_maat_inst; int flag_table_id = maat_get_table_id(maat_inst, flag_table_name); //compile_id:196 flag: 0001 1111 mask: 0000 1111 //scan_data: 0000 1111 or 0001 1111 should hit long long scan_data1 = 15; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_flag(maat_inst, flag_table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_ERR); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, flag_table_id, district_str, strlen(district_str)); ASSERT_EQ(ret, 0); ret = maat_scan_flag(maat_inst, flag_table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 196); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_flag(maat_inst, flag_table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, flag_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_free(state); state = NULL; } //hyperscan engine class HsStringScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_hit_path_enabled(opts); maat_options_set_expr_engine(opts, MAAT_EXPR_ENGINE_HS); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in HsStringScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *HsStringScan::_shared_maat_inst; struct log_handle *HsStringScan::logger; TEST_F(HsStringScan, ScanDataOnlyOneByte) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char scan_data = 0x20; int ret = maat_scan_string(maat_inst, table_id, &scan_data, sizeof(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, Full) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data = "http://www.cyberessays.com/search_results.php" "?action=search&query=username,abckkk,1234567"; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, Regex) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "Cookie: Txa123aheadBCAxd"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 148); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, RegexUnicode) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "String contains É"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 229); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, BackslashR_N_Escape) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; const char *payload = "GET / HTTP/1.1\r\nHost: www.baidu.com\r\n\r\n"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 225); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, BackslashR_N_Escape_IncUpdate) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; const char *payload = "html>\\r\\n"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 234); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* expr table add line */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); const char *keywords = "html>\\\\r\\\\n"; /* EXPR_TYPE_AND MATCH_METHOD_SUB */ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 3); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 234); EXPECT_EQ(results[1], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *district_str1 ="HTTP URL"; const char *district_str2 ="我的diStricT"; const char *scan_data1 = "http://www.cyberessays.com/search_results.php" "?action=search&query=abckkk,1234567"; const char *scan_data2 = "Addis Sapphire Hotel"; const char *table_name = "HTTP_SIGNATURE"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_ERR);//Should return error for district not setting. ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 128); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 190); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, ExprPlusWithOffset) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *district_str = "Payload"; unsigned char udp_payload_not_hit[] = { /* Stun packet */ 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, 0x4f, 0xc2, 0xc2, 0x70, 0xb3, 0xa8, 0x4e, 0x22, 0xf5, 0x22, 0x87, 0x4c, 0x40, 0x00, 0x00, 0x46, 0x03, 0x02, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, 0x3a, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a }; unsigned char udp_payload_hit[] = { /* Stun packet */ //rule:"1-1:03&9-10:2d&14-16:2d34&19-21:2d&24-25:2d" 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, //1-1:03 0x4f, 0xc2, 0x2d, 0x70, 0xb3, 0xa8, 0x4e, 0x2d, //10-10:2d 0x34, 0x22, 0x87, 0x4c, 0x2d, 0x00, 0x00, 0x46, //15-16:2d34 0x2d, 0x34, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, //20-20:2d 0x03, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, //24-24:2d 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a }; int table_id = maat_get_table_id(maat_inst, "APP_PAYLOAD"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str, strlen(district_str)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_not_hit, sizeof(udp_payload_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_hit, sizeof(udp_payload_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 149); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, ExprPlusWithHex) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data1 = "text/html; charset=UTF-8"; const char *scan_data2 = "Batman\\:Take me Home.Superman/:Fine,stay with me."; const char *district_str1 = "Content-Type"; const char *district_str2 = "User-Agent"; int table_id = maat_get_table_id(maat_inst, "HTTP_SIGNATURE"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 156); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //maat-v3 consider as half hit, it's unreasonable ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, "KEYWORDS_TABLE"); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 132); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, ExprAndExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *expr_table_name = "HTTP_URL"; const char *expr_plus_table_name = "HTTP_SIGNATURE"; const char *district_str = "I love China"; const char *scan_data = "today is Monday and yesterday is Tuesday"; int expr_table_id = maat_get_table_id(maat_inst, expr_table_name); int expr_plus_table_id = maat_get_table_id(maat_inst, expr_plus_table_name); int ret = maat_scan_string(maat_inst, expr_plus_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_ERR); ret = maat_scan_not_logic(maat_inst, expr_plus_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, expr_plus_table_id, district_str, strlen(district_str)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, expr_plus_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, expr_plus_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, expr_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 195); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, ShouldNotHitExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *district_str = "tcp.payload"; unsigned char udp_payload_not_hit[] = { /* Stun packet */ 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, 0x4f, 0xc2, 0xc2, 0x70, 0xb3, 0xa8, 0x4e, 0x22, 0xf5, 0x22, 0x87, 0x4c, 0x40, 0x00, 0x00, 0x46, 0x03, 0x02, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, 0x3a, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a, 0xab, 0x00 }; int table_id = maat_get_table_id(maat_inst, "APP_PAYLOAD"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str, strlen(district_str)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, (char *)udp_payload_not_hit, sizeof(udp_payload_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //maat-v3 consider as half hit, it's unreasonable ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, Expr8) { int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; char scan_data[128] = "string1, string2, string3, string4, string5, " "string6, string7, string8"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 182); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, HexBinCaseSensitive) { const char *table_name = "KEYWORDS_TABLE"; const char *scan_data1 = "String TeST should not hit."; const char *scan_data2 = "String TEST should hit"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 206); EXPECT_EQ(results[1], 191); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(HsStringScan, BugReport20190325) { unsigned char scan_data[] = {/* Packet 1 */ 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x3d, 0x3d, 0x20, 0x48, 0x3d, 0x48, 0x20, 0x3d, 0x3d, 0x2d, 0x3a, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x0e, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x4c, 0x69, 0x6e, 0x75, 0x78, 0x20, 0x33, 0x2e, 0x31, 0x39, 0x2e, 0x30, 0x2d, 0x31, 0x35, 0x2d, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0x31, 0x3a, 0x47, 0x32, 0x2e, 0x34, 0x30, 0x00}; const char *table_name = "TROJAN_PAYLOAD"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, (char *)scan_data, sizeof(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 150); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, PrefixAndSuffix) { const char *hit_twice = "ceshi3@mailhost.cn"; const char *hit_suffix = "11111111111ceshi3@mailhost.cn"; const char *hit_prefix = "ceshi3@mailhost.cn11111111111"; const char *cont_sz_table_name = "CONTENT_SIZE"; const char *mail_addr_table_name = "MAIL_ADDR"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int thread_id = 0; int cont_sz_table_id = maat_get_table_id(maat_inst, cont_sz_table_name); ASSERT_GT(cont_sz_table_id, 0); int mail_addr_table_id = maat_get_table_id(maat_inst, mail_addr_table_name); ASSERT_GT(mail_addr_table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_integer(maat_inst, cont_sz_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); ret = maat_scan_not_logic(maat_inst, cont_sz_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_twice, strlen(hit_twice), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 151); EXPECT_EQ(results[1], 152); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_suffix, strlen(hit_suffix), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 151); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_integer(maat_inst, cont_sz_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); ret = maat_scan_not_logic(maat_inst, cont_sz_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_prefix, strlen(hit_prefix), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 152); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, MaatUnescape) { const char *scan_data = "Batman\\:Take me Home.Superman/:Fine,stay with me."; const char *table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = HsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 132); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, OffsetChunk64) { const char *table_name = "IMAGE_FP"; const char *file_name = "./testdata/mesa_logo.jpg"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp==NULL); char scan_data[64]; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = 0; int read_size = 0; int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 136); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, OffsetChunk1460) { const char *table_name = "IMAGE_FP"; const char *file_name = "./testdata/mesa_logo.jpg"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp==NULL); char scan_data[1460]; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = 0; int read_size = 0; int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 136); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, StreamScanUTF8) { const char *table_name = "TROJAN_PAYLOAD"; const char* file_name = "./testdata/jd.com.html"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; char scan_data[2048]; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp == NULL); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_FALSE(sp == NULL); int pass_flag = 0; while (0 == feof(fp)) { size_t read_size = fread(scan_data, 1, sizeof(scan_data), fp); int ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret == MAAT_SCAN_HIT) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret == MAAT_SCAN_HIT) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 157); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, StreamInput) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *table_name = "HTTP_URL"; const char *scan_data1 = "www.cyberessays.com"; const char *scan_data2 = "http://www.cyberessays.com/search_results.php?" "action=search&query=yulingjing,abckkk,1234567"; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); maat_stream_free(sp); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(HsStringScan, dynamic_config) { const char *table_name = "HTTP_URL"; char data[128] = "hello world, welcome to maat version4, it's funny."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = HsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* expr table add line */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); const char *keywords = "welcome to maat"; /* EXPR_TYPE_AND MATCH_METHOD_SUB */ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 3); ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* EXPR_TYPE_AND MATCH_METHOD_SUB */ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_DEL, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); /* group2compile table del line */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* compile table del line */ ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class RsStringScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_expr_engine(opts, MAAT_EXPR_ENGINE_RS); maat_options_set_hit_path_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in RsStringScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *RsStringScan::_shared_maat_inst; struct log_handle *RsStringScan::logger; TEST_F(RsStringScan, ScanDataOnlyOneByte) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char scan_data = 0x20; int ret = maat_scan_string(maat_inst, table_id, &scan_data, sizeof(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, Full) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, Regex) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *cookie = "Cookie: Txa123aheadBCAxd"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, cookie, strlen(cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 148); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, RegexUnicode) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "String contains É"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 229); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, BackslashR_N_Escape) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; const char *payload = "GET / HTTP/1.1\r\nHost: www.baidu.com\r\n\r\n"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 225); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, BackslashR_N_Escape_IncUpdate) { int ret = 0; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; const char *payload = "html>\\r\\n"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 234); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* expr table add line */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); const char *keywords = "html>\\\\r\\\\n"; /* EXPR_TYPE_AND MATCH_METHOD_SUB */ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 3); ret = maat_scan_string(maat_inst, table_id, payload, strlen(payload), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 234); EXPECT_EQ(results[1], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, ExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *district_str1 ="HTTP URL"; const char *district_str2 ="我的diStricT"; const char *scan_data1 = "http://www.cyberessays.com/search_results.php?" "action=search&query=abckkk,1234567"; const char *scan_data2 = "Addis Sapphire Hotel"; const char *table_name = "HTTP_SIGNATURE"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_ERR);//Should return error for district not setting. ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 128); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 190); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, ExprPlusWithOffset) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *district_str = "Payload"; unsigned char udp_payload_not_hit[] = { /* Stun packet */ 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, 0x4f, 0xc2, 0xc2, 0x70, 0xb3, 0xa8, 0x4e, 0x22, 0xf5, 0x22, 0x87, 0x4c, 0x40, 0x00, 0x00, 0x46, 0x03, 0x02, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, 0x3a, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a }; unsigned char udp_payload_hit[] = { /* Stun packet */ //rule:"1-1:03&9-10:2d&14-16:2d34&19-21:2d&24-25:2d" 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, //1-1:03 0x4f, 0xc2, 0x2d, 0x70, 0xb3, 0xa8, 0x4e, 0x2d, //10-10:2d 0x34, 0x22, 0x87, 0x4c, 0x2d, 0x00, 0x00, 0x46, //15-16:2d34 0x2d, 0x34, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, //20-20:2d 0x03, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, //24-24:2d 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a }; int table_id = maat_get_table_id(maat_inst, "APP_PAYLOAD"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str, strlen(district_str)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_not_hit, sizeof(udp_payload_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_hit, sizeof(udp_payload_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 149); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, ExprPlusWithHex) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data1 = "text/html; charset=UTF-8"; const char *scan_data2 = "Batman\\:Take me Home.Superman/:Fine,stay with me."; const char *district_str1 = "Content-Type"; const char *district_str2 = "User-Agent"; int table_id = maat_get_table_id(maat_inst, "HTTP_SIGNATURE"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 156); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //maat-v3 consider as half hit, it's unreasonable ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, "KEYWORDS_TABLE"); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 132); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, ExprAndExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *expr_table_name = "HTTP_URL"; const char *expr_plus_table_name = "HTTP_SIGNATURE"; const char *district_str = "I love China"; const char *scan_data = "today is Monday and yesterday is Tuesday"; int expr_table_id = maat_get_table_id(maat_inst, expr_table_name); int expr_plus_table_id = maat_get_table_id(maat_inst, expr_plus_table_name); int ret = maat_scan_string(maat_inst, expr_plus_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_ERR); ret = maat_scan_not_logic(maat_inst, expr_plus_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_state_set_scan_district(state, expr_plus_table_id, district_str, strlen(district_str)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, expr_plus_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, expr_plus_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, expr_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 195); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, ShouldNotHitExprPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *district_str = "tcp.payload"; unsigned char udp_payload_not_hit[] = { /* Stun packet */ 0x00, 0x03, 0x00, 0x4a, 0x21, 0x12, 0xa4, 0x42, 0x4f, 0xc2, 0xc2, 0x70, 0xb3, 0xa8, 0x4e, 0x22, 0xf5, 0x22, 0x87, 0x4c, 0x40, 0x00, 0x00, 0x46, 0x03, 0x02, 0xab, 0x39, 0xbb, 0x97, 0xe5, 0x01, 0x3a, 0x46, 0x1c, 0x28, 0x5b, 0xab, 0xfa, 0x9a, 0xab, 0x2e, 0x71, 0x39, 0x66, 0xa0, 0xd7, 0xb9, 0xd8, 0x41, 0xa7, 0xa0, 0x84, 0xa9, 0xf3, 0x1b, 0x03, 0x7f, 0xa8, 0x28, 0xa2, 0xd3, 0x64, 0xc2, 0x3d, 0x20, 0xe0, 0xb1, 0x41, 0x12, 0x6c, 0x2f, 0xc5, 0xbb, 0xc3, 0xba, 0x69, 0x73, 0x52, 0x64, 0xf6, 0x30, 0x81, 0xf4, 0x3f, 0xc2, 0x19, 0x6a, 0x68, 0x61, 0x93, 0x08, 0xc0, 0x0a, 0xab, 0x00 }; int table_id = maat_get_table_id(maat_inst, "APP_PAYLOAD"); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str, strlen(district_str)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, (char *)udp_payload_not_hit, sizeof(udp_payload_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //maat-v3 consider as half hit, it's unreasonable ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, Expr8) { const char *table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); char scan_data[128] = "string1, string2, string3, string4, string5," " string6, string7, string8"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 182); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = 0; n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_NE(n_read, 0); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, HexBinCaseSensitive) { const char *table_name = "KEYWORDS_TABLE"; const char *scan_data1 = "String TeST should not hit."; const char *scan_data2 = "String TEST should hit"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 206); EXPECT_EQ(results[1], 191); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, BugReport20190325) { unsigned char scan_data[] = {/* Packet 1 */ 0x01, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x00, 0xf4, 0x01, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x3d, 0x3d, 0x20, 0x48, 0x3d, 0x48, 0x20, 0x3d, 0x3d, 0x2d, 0x3a, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x0e, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x4c, 0x69, 0x6e, 0x75, 0x78, 0x20, 0x33, 0x2e, 0x31, 0x39, 0x2e, 0x30, 0x2d, 0x31, 0x35, 0x2d, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0x31, 0x3a, 0x47, 0x32, 0x2e, 0x34, 0x30, 0x00}; const char *table_name = "TROJAN_PAYLOAD"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, (char *)scan_data, sizeof(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 150); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, PrefixAndSuffix) { const char *hit_twice = "ceshi3@mailhost.cn"; const char *hit_suffix = "11111111111ceshi3@mailhost.cn"; const char *hit_prefix = "ceshi3@mailhost.cn11111111111"; const char *cont_sz_table_name = "CONTENT_SIZE"; const char *mail_addr_table_name = "MAIL_ADDR"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int thread_id = 0; int cont_sz_table_id = maat_get_table_id(maat_inst, cont_sz_table_name); ASSERT_GT(cont_sz_table_id, 0); int mail_addr_table_id = maat_get_table_id(maat_inst, mail_addr_table_name); ASSERT_GT(mail_addr_table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_integer(maat_inst, cont_sz_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); ret = maat_scan_not_logic(maat_inst, cont_sz_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_twice, strlen(hit_twice), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 151); EXPECT_EQ(results[1], 152); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_suffix, strlen(hit_suffix), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 151); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_integer(maat_inst, cont_sz_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); ret = maat_scan_not_logic(maat_inst, cont_sz_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, mail_addr_table_id, hit_prefix, strlen(hit_prefix), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 152); ret = maat_scan_not_logic(maat_inst, mail_addr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, MaatUnescape) { const char *scan_data = "Batman\\:Take me Home.Superman/:Fine,stay with me."; const char *table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = RsStringScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 132); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, OffsetChunk64) { const char *table_name = "IMAGE_FP"; const char *file_name = "./testdata/mesa_logo.jpg"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp==NULL); char scan_data[64]; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = 0; int read_size = 0; int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 136); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, OffsetChunk1460) { const char *table_name = "IMAGE_FP"; const char *file_name = "./testdata/mesa_logo.jpg"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp==NULL); char scan_data[1460]; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = 0; int read_size = 0; int pass_flag = 0; while (0 == feof(fp)) { read_size = fread(scan_data, 1, sizeof(scan_data), fp); ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 136); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, StreamScanUTF8) { const char *table_name = "TROJAN_PAYLOAD"; const char* file_name = "./testdata/jd.com.html"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; char scan_data[1500]; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); FILE *fp = fopen(file_name, "r"); ASSERT_FALSE(fp == NULL); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_FALSE(sp == NULL); int pass_flag = 0; while (0 == feof(fp)) { size_t read_size = fread(scan_data, 1, sizeof(scan_data), fp); //read_size can't exceed 1500 int ret = maat_stream_scan(sp, scan_data, read_size, results, ARRAY_SIZE, &n_hit_result, state); if (ret == MAAT_SCAN_HIT) { pass_flag = 1; break; } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); if (ret > 0) { pass_flag = 1; break; } } EXPECT_EQ(pass_flag, 1); EXPECT_EQ(results[0], 157); maat_stream_free(sp); fclose(fp); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, StreamInput) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data1 = "www.cyberessays.com"; const char *scan_data2 = "http://www.cyberessays.com/search_results.php?" "action=search&query=yulingjing,abckkk,1234567"; const char *table_name = "HTTP_URL"; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); int ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); maat_stream_free(sp); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(RsStringScan, dynamic_config) { const char *table_name = "HTTP_URL"; char data[128] = "hello world, welcome to maat version4, it's funny."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStringScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); int ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); maat_state_reset(state); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* expr table add line */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); const char *keywords = "welcome to maat"; /* EXPR_TYPE_AND MATCH_METHOD_SUB */ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* EXPR_TYPE_AND MATCH_METHOD_SUB*/ ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_DEL, item_id, group_id, keywords, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); /* group2compile table del line */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* compile table del line */ ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); ret = maat_scan_string(maat_inst, table_id, data, strlen(data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class HsStreamScan : public testing::Test { protected: static void SetUpTestCase() { char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); _shared_maat_inst = maat_new(opts, g_table_info_path); assert(_shared_maat_inst != NULL); maat_cmd_flushDB(_shared_maat_inst); maat_free(_shared_maat_inst); maat_options_set_foreign_cont_dir(opts, "./foreign_files/"); maat_options_set_gc_timeout_ms(opts, 0); // start GC immediately maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); } static void TearDownTestCase() { maat_free(_shared_maat_inst); } static struct maat *_shared_maat_inst; }; struct maat *HsStreamScan::_shared_maat_inst; TEST_F(HsStreamScan, dynamic_config) { const char *table_name = "HTTP_URL"; const char *keywords1 = "hello"; char keyword_buf[128]; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data1 = "www.cyberessays.com"; const char *scan_data2 = "hello world cyberessays.com/search_results.php?" "action=search&query=yulingjing,abckkk,1234567"; struct maat *maat_inst = HsStreamScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); // STEP 1: add keywords1 and wait scan stream to hit long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = test_add_expr_command(maat_inst, table_name, compile1_id, 0, keywords1); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); // STEP 2: Inc config update, use same stream to scan and wait old expr_runtime invalid random_keyword_generate(keyword_buf, sizeof(keyword_buf)); long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = test_add_expr_command(maat_inst, table_name, compile_id, 0, keyword_buf); EXPECT_EQ(ret, 1); // Inc config has not yet taken effect, stream scan can hit compile ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); maat_state_reset(state); sleep(WAIT_FOR_EFFECTIVE_S); // Inc config has taken effect, stream reference old expr_runtime, should not hit compile ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(sp); maat_state_free(state); sp = NULL; state = NULL; } class RsStreamScan : public testing::Test { protected: static void SetUpTestCase() { char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); _shared_maat_inst = maat_new(opts, g_table_info_path); assert(_shared_maat_inst != NULL); maat_cmd_flushDB(_shared_maat_inst); maat_free(_shared_maat_inst); maat_options_set_foreign_cont_dir(opts, "./foreign_files/"); maat_options_set_gc_timeout_ms(opts, 0); // start GC immediately maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_expr_engine(opts, MAAT_EXPR_ENGINE_RS); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); } static void TearDownTestCase() { maat_free(_shared_maat_inst); } static struct maat *_shared_maat_inst; }; struct maat *RsStreamScan::_shared_maat_inst; TEST_F(RsStreamScan, dynamic_config) { const char *scan_data1 = "www.cyberessays.com"; const char *scan_data2 = "hello world cyberessays.com/search_results.php?" "action=search&query=yulingjing,abckkk,1234567"; const char *table_name = "HTTP_URL"; const char *keywords1 = "hello"; char keyword_buf[128]; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = RsStreamScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); // STEP 1: add keywords1 and wait scan stream to hit long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = test_add_expr_command(maat_inst, table_name, compile1_id, 0, keywords1); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct maat_stream *sp = maat_stream_new(maat_inst, table_id, state); ASSERT_TRUE(sp != NULL); ret = maat_stream_scan(sp, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); // STEP 2: Inc config update, use same stream to scan and wait old expr_runtime invalid random_keyword_generate(keyword_buf, sizeof(keyword_buf)); long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = test_add_expr_command(maat_inst, table_name, compile_id, 0, keyword_buf); EXPECT_EQ(ret, 1); // Inc config has not yet taken effect, stream scan can hit compile ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); sleep(WAIT_FOR_EFFECTIVE_S); // Inc config has taken effect, stream reference old expr_runtime, should not hit compile ret = maat_stream_scan(sp, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(sp); maat_state_free(state); sp = NULL; state = NULL; } class IPScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in IPScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *IPScan::_shared_maat_inst; struct log_handle *IPScan::logger; TEST_F(IPScan, IPv4Unspecified) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str1[32] = "0.0.0.0"; uint32_t sip1; int ret = inet_pton(AF_INET, ip_str1, &sip1); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, table_id, sip1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, IPv4Broadcast) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str1[32] = "255.255.255.255"; uint32_t sip1; int ret = inet_pton(AF_INET, ip_str1, &sip1); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, table_id, sip1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, MatchSingleIPv4) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[32] = "100.64.3.1"; uint32_t sip; int ret = inet_pton(AF_INET, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 169); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, IPv6Unspecified) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[32] = "::"; uint8_t sip[16]; int ret = inet_pton(AF_INET6, ip_str, sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 210); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(IPScan, IPv6Broadcast) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[64] = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"; uint8_t sip[16]; int ret = inet_pton(AF_INET6, ip_str, sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(IPScan, MatchSingleIPv6) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[64] = "1:1:1:1:1:1:1:1"; uint8_t sip[16]; int ret = inet_pton(AF_INET6, ip_str, sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 210); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, MatchIPv4Range) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[32] = "10.0.7.100"; uint32_t sip; int ret = inet_pton(AF_INET, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 208); EXPECT_EQ(results[1], 154); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, MatchIPv4Port) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); char ip_str[32] = "192.168.30.44"; uint32_t sip; int ret = inet_pton(AF_INET, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4_port(maat_inst, table_id, sip, 443, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_ipv4_port(maat_inst, table_id, sip, 80, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 232); maat_state_free(state); state = NULL; } TEST_F(IPScan, MatchIPv6Range) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); char ip_str[32] = "1001:da8:205:1::101"; uint8_t sip[16]; int ret = inet_pton(AF_INET6, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 210); EXPECT_EQ(results[1], 155); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, MatchIPv6Port) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); char ip_str[32] = "2607:5d00:2:2::32:28"; int port=443; uint8_t sip[16]; int ret = inet_pton(AF_INET6, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6_port(maat_inst, table_id, sip, port, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 230); EXPECT_EQ(results[1], 210); maat_state_reset(state); //If the port is not present, should not match rules with port range. In this case, only rule 210 "::/0" should match. ret = maat_scan_ipv6(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 210); maat_state_free(state); state = NULL; } TEST_F(IPScan, BugReport20210515) { const char *table_name = "IP_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); char ip_str[64] = "2409:8915:3430:7e7:8c9b:ff2a:7aa1:e74"; uint8_t ip_addr[sizeof(struct in6_addr)]; int ret = inet_pton(AF_INET6, ip_str, &ip_addr); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv6(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, RuleUpdates) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int table_id = maat_get_table_id(maat_inst, table_name); char ip_str[32] = "100.100.100.100"; uint32_t sip; int ret = inet_pton(AF_INET, ip_str, &sip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* ip table add line */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, "100.100.100.100", 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* ip table del line */ ret = ip_table_set_line(maat_inst, table_name, MAAT_OP_DEL, item_id, group_id, "100.100.100.100", 0); EXPECT_EQ(ret, 1); /* group2compile table del line */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* compile table del line */ ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IPScan, RuleChangeClauseId) { //This test is a reproduce of bug OMPUB-1343. const char *src_table_name = "VIRTUAL_IP_PLUS_SOURCE"; const char *dst_table_name = "VIRTUAL_IP_PLUS_DESTINATION"; const char *phy_ip_table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = IPScan::_shared_maat_inst; int thread_id = 0; int ret; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 2, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id1 = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id1, compile_id, 0, src_table_name, 1, 0); EXPECT_EQ(ret, 1); /* ip table add line */ long long item_id1 = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, phy_ip_table_name, MAAT_OP_ADD, item_id1, group_id1, "1.1.1.1", 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id2 = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id2, compile_id, 0, dst_table_name, 2, 0); EXPECT_EQ(ret, 1); /* ip table add line */ long long item_id2 = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, phy_ip_table_name, MAAT_OP_ADD, item_id2, group_id2, "11.11.11.11", 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); int src_table_id = maat_get_table_id(maat_inst, src_table_name); int dst_table_id = maat_get_table_id(maat_inst, dst_table_name); char sip1_str[32] = "1.1.1.1"; char sip2_str[32] = "2.2.2.2"; char dip_str[32] = "11.11.11.11"; uint32_t sip1; uint32_t sip2; uint32_t dip; ret = inet_pton(AF_INET, sip1_str, &sip1); EXPECT_EQ(ret, 1); ret = inet_pton(AF_INET, sip2_str, &sip2); EXPECT_EQ(ret, 1); ret = inet_pton(AF_INET, dip_str, &dip); EXPECT_EQ(ret, 1); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_scan_ipv4(maat_inst, dst_table_id, dip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, "null", 2, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 2, 0); EXPECT_EQ(ret, 1); /* group2compile table del line */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group_id1, compile_id, 0, src_table_name, 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group_id2, compile_id, 0, dst_table_name, 2, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id1, compile_id, 0, src_table_name, 2, 0); EXPECT_EQ(ret, 1); const char *app_id_table_name = "APP_ID"; int app_id_table_id = maat_get_table_id(maat_inst, app_id_table_name); /* group2compile table add line */ long long group_id3 = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id3, compile_id, 0, app_id_table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); //maat_state_reset(state); n_hit_result = 0; struct maat_hit_group group; group.item_id = 0; group.vtable_id = 0; group.group_id = group_id3; ret = maat_scan_group(maat_inst, app_id_table_id, &group, 1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_ipv4(maat_inst, src_table_id, sip2, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; } class IntervalScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in IntervalScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *IntervalScan::_shared_maat_inst; struct log_handle *IntervalScan::logger; TEST_F(IntervalScan, IntegerRange) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "CONTENT_SIZE"; struct maat *maat_inst = IntervalScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); unsigned int scan_data1 = 2015; int ret = maat_scan_integer(maat_inst, table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); unsigned int scan_data2 = 300; ret = maat_scan_integer(maat_inst, table_id, scan_data2, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IntervalScan, SingleInteger) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "CONTENT_SIZE"; struct maat *maat_inst = IntervalScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); unsigned int scan_data1 = 3000; int ret = maat_scan_integer(maat_inst, table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 218); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(IntervalScan, IntervalPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "INTERGER_PLUS"; struct maat *maat_inst = IntervalScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); const char *district_str = "interval.plus"; int ret = maat_state_set_scan_district(state, table_id, district_str, strlen(district_str)); EXPECT_EQ(ret, 0); unsigned int scan_data1 = 2020; ret = maat_scan_integer(maat_inst, table_id, scan_data1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 209); EXPECT_EQ(results[1], 179); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class GroupScan : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in GroupScan failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *GroupScan::_shared_maat_inst; struct log_handle *GroupScan::logger; TEST_F(GroupScan, PhysicalTable) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = GroupScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GE(table_id, 0); struct maat_hit_group hit_group; hit_group.group_id = 247; hit_group.vtable_id = table_id; int ret = maat_scan_group(maat_inst, table_id, &hit_group, 1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 226); maat_state_free(state); state = NULL; sleep(2); } TEST_F(GroupScan, VirtualTable) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = GroupScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GE(table_id, 0); struct maat_hit_group hit_group; hit_group.group_id = 259; hit_group.vtable_id = table_id; int ret = maat_scan_group(maat_inst, table_id, &hit_group, 1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 233); maat_state_free(state); state = NULL; sleep(2); } TEST_F(GroupScan, SetScanCompileTable) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = GroupScan::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GE(table_id, 0); const char *compile_table_name = "COMPILE_FIREWALL_CONJUNCTION"; int compile_table_id = maat_get_table_id(maat_inst, compile_table_name); int ret = maat_state_set_scan_compile_table(state, compile_table_id); EXPECT_EQ(ret, 0); struct maat_hit_group hit_group; hit_group.group_id = 248; hit_group.vtable_id = table_id; ret = maat_scan_group(maat_inst, table_id, &hit_group, 1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 227); maat_state_free(state); state = NULL; sleep(2); } class NOTLogic : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in NOTLogic failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *NOTLogic::_shared_maat_inst; struct log_handle *NOTLogic::logger; TEST_F(NOTLogic, OneRegion) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-143."; const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-143 " "and must-not-contained-string-of-rule-143."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "HTTP_URL_FILTER"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 143); maat_state_reset(state); ret = maat_scan_string(maat_inst, table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanNotAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-144 " "and must-not-contained-string-of-rule-144."; const char *string_contain_nothing = "This string contains nothing."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *hit_table_name = "HTTP_URL_FILTER"; const char *not_hit_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); // scan string_should_hit(HTTP_URL_FILTER) & string_should_not_hit(HTTP_RESPONSE_KEYWORDS) => not hit compile int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, not_hit_table_id, string_contain_nothing, strlen(string_contain_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //scan string_should_hit(HTTP_URL_FILTER) & nothing(HTTP_RESPONSE_KEYWORDS) => hit compile144 ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, not_hit_table_id, string_contain_nothing, strlen(string_contain_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 144); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanIrrelavantAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; const char *string_irrelevant = "This string contains nothing to hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *hit_table_name = "HTTP_URL_FILTER"; const char *not_hit_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(hit_table_id, 0); ret = maat_scan_string(maat_inst, not_hit_table_id, string_irrelevant, strlen(string_irrelevant), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 144); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { const char *string_should_not_hit = "This string should not hit."; const char *string_match_no_region = "This string is matched against a empty table."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *not_hit_table_name = "HTTP_URL_FILTER"; const char *hit_table_name = "IP_PLUS_CONFIG"; const char *empty_table_name = "EMPTY_KEYWORD"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); int ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.8.186", &sip); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); ret = maat_scan_ipv4(maat_inst, hit_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 186); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int empty_table_id = maat_get_table_id(maat_inst, empty_table_name); ASSERT_GT(empty_table_id, 0); ret = maat_scan_string(maat_inst, empty_table_id, string_match_no_region, strlen(string_match_no_region), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, empty_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { const char *string_should_not_hit = "This string should not hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *not_hit_table_name = "HTTP_URL_FILTER"; const char *hit_table_name = "IP_PLUS_CONFIG"; const char *empty_table_name = "EMPTY_INTERGER"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); int ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.8.187", &sip); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); ret = maat_scan_ipv4(maat_inst, hit_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 187); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int empty_table_id = maat_get_table_id(maat_inst, empty_table_name); ASSERT_GT(empty_table_id, 0); ret = maat_scan_integer(maat_inst, empty_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, empty_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanNotIP) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-145."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *hit_table_name = "HTTP_URL"; const char *not_hit_table_name = "VIRTUAL_IP_CONFIG"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); // scan string_should_hit(HTTP_URL) & hit ip(VIRTUAL_IP_CONFIG) => not hit compile int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.6.205", &sip); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); ret = maat_scan_ipv4(maat_inst, not_hit_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 145); maat_state_reset(state); // scan string_should_hit(HTTP_URL) & not hit ip(VIRTUAL_IP_CONFIG) => hit compile145 ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); inet_pton(AF_INET, "10.0.6.201", &sip); ret = maat_scan_ipv4(maat_inst, not_hit_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanNotWithDistrict) { const char *string1 = "This string ONLY contains scan_with_district_221."; const char *string2 = "This string contains User-Agent:Mozilla/5.0"; const char *string3 = "This string contains User-Agent:Chrome"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *url_table_name = "HTTP_URL"; const char *virtual_table_name = "HTTP_REQUEST_HEADER"; const char *district_str1 = "User-Agent"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int url_table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(url_table_id, 0); // scan string1(HTTP_URL) & string2(HTTP_REQUEST_HEADER) => not hit compile int ret = maat_scan_string(maat_inst, url_table_id, string1, strlen(string1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); int virtual_table_id = maat_get_table_id(maat_inst, virtual_table_name); ASSERT_GT(virtual_table_id, 0); ret = maat_state_set_scan_district(state, virtual_table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, virtual_table_id, string2, strlen(string2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, virtual_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); // scan string1(HTTP_URL) & string3(HTTP_REQUEST_HEADER) => hit compile221 ret = maat_scan_string(maat_inst, url_table_id, string1, strlen(string1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_state_set_scan_district(state, virtual_table_id, district_str1, strlen(district_str1)); ASSERT_EQ(ret, 0); ret = maat_scan_string(maat_inst, virtual_table_id, string3, strlen(string3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, virtual_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 221); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, NotUrlAndNotIp) { const char *string_should_half_hit = "This string ONLY contains must-contained-string-of-rule-146."; const char *string_should_not_hit = "This string contains must-contained-string-of-rule-146 and " "must-contained-not-string-of-rule-146."; const char *string_nothing = "This string contain nothing"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *url_table_name = "HTTP_URL_FILTER"; const char *ip_table_name = "VIRTUAL_IP_CONFIG"; const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int url_table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(url_table_id, 0); //scan string_should_half_hit(HTTP_URL_FILTER) & hit ip(VIRTUAL_IP_CONFIG) => not hit compile int ret = maat_scan_string(maat_inst, url_table_id, string_should_half_hit, strlen(string_should_half_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t sip; inet_pton(AF_INET, "10.0.6.201", &sip); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); ret = maat_scan_ipv4(maat_inst, ip_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); // scan string_should_half_hit(HTTP_RESPONSE_KEYWORDS) & not hit ip(VIRTUAL_IP_CONFIG) => not hit compile int http_table_id = maat_get_table_id(maat_inst, http_table_name); ASSERT_GT(http_table_id, 0); ret = maat_scan_string(maat_inst, http_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, http_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "10.1.0.0", &sip); ret = maat_scan_ipv4(maat_inst, ip_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); // scan scan string_should_half_hit(HTTP_URL_FILTER) & not hit ip(VIRTUAL_IP_CONFIG) => hit compile146 ret = maat_scan_string(maat_inst, url_table_id, string_should_half_hit, strlen(string_should_half_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, http_table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, http_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "10.1.0.0", &sip); ret = maat_scan_ipv4(maat_inst, ip_table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 146); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, NotPhysicalTable) { const char *string1 = "This string ONLY contains not_logic_compile_224_1."; const char *string2 = "This string ONLY contains not_logic_compile_224_2."; const char *string3 = "This string ONLY contains nothing."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *phy_table_name = "KEYWORDS_TABLE"; const char *vtable_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int phy_table_id = maat_get_table_id(maat_inst, phy_table_name); ASSERT_GT(phy_table_id, 0); int vtable_id = maat_get_table_id(maat_inst, vtable_name); ASSERT_GT(vtable_id, 0); // scan hit string1(KEYWORDS_TABLE) & hit string2(HTTP_RESPONSE_KEYWORDS) => not hit compile int ret = maat_scan_string(maat_inst, phy_table_id, string1, strlen(string1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, phy_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, vtable_id, string2, strlen(string2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); //scan not hit string1(KEYWORDS_TABLE) & hit string2(HTTP_RESPONSE_KEYWORDS) => hit compile224 ret = maat_scan_string(maat_inst, phy_table_id, string3, strlen(string3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, phy_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, vtable_id, string2, strlen(string2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 224); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, EightNotClause) { const char *string_nothing = "This string contain nothing"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name1 = "HTTP_RESPONSE_KEYWORDS_1"; const char *table_name2 = "HTTP_RESPONSE_KEYWORDS_2"; const char *table_name3 = "HTTP_RESPONSE_KEYWORDS_3"; const char *table_name4 = "HTTP_RESPONSE_KEYWORDS_4"; const char *table_name5 = "HTTP_RESPONSE_KEYWORDS_5"; const char *table_name6 = "HTTP_RESPONSE_KEYWORDS_6"; const char *table_name7 = "HTTP_RESPONSE_KEYWORDS_7"; const char *table_name8 = "HTTP_RESPONSE_KEYWORDS_8"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id1 = maat_get_table_id(maat_inst, table_name1); ASSERT_GT(table_id1, 0); int ret = maat_scan_string(maat_inst, table_id1, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id2 = maat_get_table_id(maat_inst, table_name2); ASSERT_GT(table_id2, 0); ret = maat_scan_string(maat_inst, table_id2, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id2, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id3 = maat_get_table_id(maat_inst, table_name3); ASSERT_GT(table_id3, 0); ret = maat_scan_string(maat_inst, table_id3, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id3, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id4 = maat_get_table_id(maat_inst, table_name4); ASSERT_GT(table_id4, 0); ret = maat_scan_string(maat_inst, table_id4, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id4, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id5 = maat_get_table_id(maat_inst, table_name5); ASSERT_GT(table_id5, 0); ret = maat_scan_string(maat_inst, table_id5, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id5, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id6 = maat_get_table_id(maat_inst, table_name6); ASSERT_GT(table_id6, 0); ret = maat_scan_string(maat_inst, table_id6, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id6, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id7 = maat_get_table_id(maat_inst, table_name7); ASSERT_GT(table_id7, 0); ret = maat_scan_string(maat_inst, table_id7, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id7, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int table_id8 = maat_get_table_id(maat_inst, table_name8); ASSERT_GT(table_id8, 0); ret = maat_scan_string(maat_inst, table_id8, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id8, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 147); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, NotClauseAndExcludeGroup1) { const char *string_should_not_hit = "This string ONLY contains must-contained-string-of-rule-200 and " "must-not-contained-string-of-rule-200"; const char *string_should_half_hit = "This string ONLY contains must-contained-string-of-rule-200"; const char *string_nothing = "This string contain nothing"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *url_table_name = "HTTP_URL_FILTER"; const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int url_table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(url_table_id, 0); int ret = maat_scan_string(maat_inst, url_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, url_table_id, string_should_half_hit, strlen(string_should_half_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int http_table_id = maat_get_table_id(maat_inst, http_table_name); ASSERT_GT(http_table_id, 0); ret = maat_scan_string(maat_inst, http_table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, http_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 216); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, NotClauseAndExcludeGroup2) { const char *string1 = "This string ONLY contains mail.string-of-rule-217.com"; const char *string2= "This string ONLY contains www.string-of-rule-217.com"; const char *string_keywords = "This string contain keywords-for-compile-217"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *url_table_name = "HTTP_URL_FILTER"; const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int url_table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(url_table_id, 0); int http_table_id = maat_get_table_id(maat_inst, http_table_name); ASSERT_GT(http_table_id, 0); int ret = maat_scan_string(maat_inst, http_table_id, string_keywords, strlen(string_keywords), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, http_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, url_table_id, string1, strlen(string1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, http_table_id, string_keywords, strlen(string_keywords), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, http_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, url_table_id, string2, strlen(string2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 217); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, SingleNotClause) { const char *string_nothing = "nothing string"; const char *string_should_hit = "string has not_logic_keywords_222"; const char *table_name = "HTTP_NOT_LOGIC_1"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); //string_should_hit(HTTP_NOT_LOGIC_1) => not hit compile int ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //string nothing(HTTP_NOT_LOGIC_1) => hit compile222 ret = maat_scan_string(maat_inst, table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 222); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, MultiNotClauses) { const char *string_nothing = "nothing string"; const char *string1 = "string has not_logic_compile_223_1"; const char *string2 = "string has not_logic_compile_223_1"; const char *string3 = "string has not_logic_compile_223_1"; const char *table_name = "HTTP_NOT_LOGIC"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); // compile223 = !string1 & !string2 & !string3 //Case1: scan string1 & !string2 & !string3 int ret = maat_scan_string(maat_inst, table_id, string1, strlen(string1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //Case2: scan !string1 & string2 & !string3 ret = maat_scan_string(maat_inst, table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_id, string2, strlen(string2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //Case3: scan !string1 & !string2 & string3 ret = maat_scan_string(maat_inst, table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_id, string3, strlen(string3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //Case4: scan !string1 & !string2 & !string3 ret = maat_scan_string(maat_inst, table_id, string_nothing, strlen(string_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 223); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, MultiGroupsInOneNotClause) { const char *src_asn1 = "AS1234"; const char *src_asn2 = "AS6789"; const char *src_asn3 = "AS9001"; const char *src_asn_nothing = "nothing string"; const char *dst_asn = "AS2345"; const char *src_asn_table_name = "ASN_NOT_LOGIC"; const char *dst_asn_table_name = "DESTINATION_IP_ASN"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); //-------------------------------------- // Source ASN1 & Dest ASN => not hit compile //-------------------------------------- int src_table_id = maat_get_table_id(maat_inst, src_asn_table_name); ASSERT_GT(src_table_id, 0); int ret = maat_scan_string(maat_inst, src_table_id, src_asn1, strlen(src_asn1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int dst_table_id = maat_get_table_id(maat_inst, dst_asn_table_name); ASSERT_GT(dst_table_id, 0); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); //-------------------------------------- // Source ASN2 & Dest ASN => not hit compile //-------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn2, strlen(src_asn2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); //-------------------------------------- // Source ASN3 & Dest ASN => not hit compile //-------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); // Source nothing & Dest ASN => hit compile177 ret = maat_scan_string(maat_inst, src_table_id, src_asn_nothing, strlen(src_asn_nothing),results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 177); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, MultiLiteralsInOneNotClause) { const char *src_asn1 = "AS1234"; const char *src_asn2 = "AS6789"; const char *src_nothing = "nothing"; const char *my_county = "Greece.Sparta"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *src_asn_table_name = "SOURCE_IP_ASN"; const char *ip_geo_table_name = "SOURCE_IP_GEO"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int src_table_id = maat_get_table_id(maat_inst, src_asn_table_name); ASSERT_GT(src_table_id, 0); int ip_geo_table_id = maat_get_table_id(maat_inst, ip_geo_table_name); ASSERT_GT(ip_geo_table_id, 0); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); //------------------------------------------- // Source ASN1 & IP Geo //------------------------------------------- int ret = maat_scan_string(maat_inst, src_table_id, src_asn1, strlen(src_asn1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //------------------------------------------- // Source nothing & IP Geo //------------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_nothing, strlen(src_nothing), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 181); maat_state_reset(state); //------------------------------------------- // Source ASN2 & IP Geo //------------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn2, strlen(src_asn2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //-------------------------------------- // hit IP & IP Geo //-------------------------------------- uint32_t ip_addr; inet_pton(AF_INET, "192.168.40.88", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //-------------------------------------- // not hit IP & IP Geo //-------------------------------------- inet_pton(AF_INET, "192.168.40.89", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 181); maat_state_free(state); state = NULL; } TEST_F(NOTLogic, SameVtableInMultiClause) { const char *src_asn1 = "AS1234"; const char *src_asn2 = "AS9002"; const char *src_asn3 = "AS9003"; const char *my_county = "Greece.Sparta"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *dst_asn_table_name = "DESTINATION_IP_ASN"; const char *ip_geo_table_name = "SOURCE_IP_GEO"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int dst_table_id = maat_get_table_id(maat_inst, dst_asn_table_name); ASSERT_GT(dst_table_id, 0); int ip_geo_table_id = maat_get_table_id(maat_inst, ip_geo_table_name); ASSERT_GT(ip_geo_table_id, 0); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); uint32_t ip_addr; inet_pton(AF_INET, "192.168.40.88", &ip_addr); //------------------------------------------- // Dest ASN1 & Dest ASN3 & IP Config //------------------------------------------- int ret = maat_scan_string(maat_inst, dst_table_id, src_asn1, strlen(src_asn1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, dst_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //------------------------------------------- // Dest ASN2 & Dest ASN3 & IP Config //------------------------------------------- ret = maat_scan_string(maat_inst, dst_table_id, src_asn2, strlen(src_asn2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, dst_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); //------------------------------------------- // Dest IP Geo & Dest ASN3 & IP Config //------------------------------------------- ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_geo_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); maat_state_reset(state); //------------------------------------------- // Dest ASN3 & IP Geo //------------------------------------------- ret = maat_scan_string(maat_inst, dst_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 185); maat_state_reset(state); //-------------------------------------- // IP Config & IP Geo //-------------------------------------- ret = maat_scan_string(maat_inst, dst_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); inet_pton(AF_INET, "192.168.40.89", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class ExcludeLogic : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in ExcludeLogic failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *ExcludeLogic::_shared_maat_inst; struct log_handle *ExcludeLogic::logger; TEST_F(ExcludeLogic, ScanExcludeAtFirst) { const char *string_should_not_hit = "This string ONLY contains must-not-contained-string-of-rule-199."; const char *string_should_hit = "This string contains must-contained-string-of-rule-199"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *not_hit_table_name = "KEYWORDS_TABLE"; const char *hit_table_name = "HTTP_URL"; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); int ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 199); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(ExcludeLogic, ScanExcludeAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-200."; const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-200" " and must-not-contained-string-of-rule-200."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "HTTP_URL"; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 200); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(ExcludeLogic, ScanIrrelavantAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-200."; const char *string_irrelevant = "This string contains nothing to hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *hit_table_name = "HTTP_URL"; const char *not_hit_table_name = "KEYWORDS_TABLE"; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 200); ret = maat_scan_not_logic(maat_inst, hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(hit_table_id, 0); ret = maat_scan_string(maat_inst, not_hit_table_id, string_irrelevant, strlen(string_irrelevant), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, not_hit_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(ExcludeLogic, ScanVirtualTable) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *table_name = "VIRTUAL_IP_PLUS_TABLE"; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); uint32_t should_hit_ip; uint32_t should_not_hit_ip; inet_pton(AF_INET, "100.64.1.1", &should_hit_ip); int ret = maat_scan_ipv4(maat_inst, table_id, should_hit_ip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 202); maat_state_reset(state); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "100.64.1.5", &should_hit_ip); ret = maat_scan_ipv4(maat_inst, table_id, should_hit_ip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 202); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); inet_pton(AF_INET, "100.64.1.6", &should_not_hit_ip); ret = maat_scan_ipv4(maat_inst, table_id, should_not_hit_ip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); inet_pton(AF_INET, "100.64.1.11", &should_not_hit_ip); ret = maat_scan_ipv4(maat_inst, table_id, should_not_hit_ip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(ExcludeLogic, ScanWithMultiClause) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *ip_table_name = "VIRTUAL_IP_PLUS_TABLE"; int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); uint32_t ip_addr; inet_pton(AF_INET, "192.168.50.43", &ip_addr); int ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "47.92.108.93", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *expr_table_name = "HTTP_RESPONSE_KEYWORDS"; int expr_table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(expr_table_id, 0); const char *should_not_hit_expr = "www.jianshu.com"; ret = maat_scan_string(maat_inst, expr_table_id, should_not_hit_expr, strlen(should_not_hit_expr), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *should_hit_expr = "mail.jianshu.com"; ret = maat_scan_string(maat_inst, expr_table_id, should_hit_expr, strlen(should_hit_expr), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 203); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(ExcludeLogic, ExcludeInDifferentLevel) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = ExcludeLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *ip_table_name = "VIRTUAL_IP_PLUS_TABLE"; int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); uint32_t ip_addr; inet_pton(AF_INET, "100.64.2.1", &ip_addr); int ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); inet_pton(AF_INET, "100.64.2.6", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *expr_table_name = "HTTP_RESPONSE_KEYWORDS"; int expr_table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(expr_table_id, 0); const char *should_not_hit_expr1 = "www.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_id, should_not_hit_expr1, strlen(should_not_hit_expr1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *should_not_hit_expr2 = "mail.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_id, should_not_hit_expr2, strlen(should_not_hit_expr2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *should_hit_expr = "hit.baidu.com"; ret = maat_scan_string(maat_inst, expr_table_id, should_hit_expr, strlen(should_hit_expr), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 204); ret = maat_scan_not_logic(maat_inst, expr_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } void maat_read_entry_start_cb(int update_type, void *u_para) { } void maat_read_entry_cb(int table_id, const char *table_line, void *u_para) { char ip_str[16] = {0}; int entry_id = -1, seq = -1; unsigned int ip_uint = 0; int is_valid = 0; unsigned int local_ip_nr = 16820416;//192.168.0.1 sscanf(table_line, "%d\t%s\t%d\t%d", &seq,ip_str, &entry_id, &is_valid); inet_pton(AF_INET, ip_str, &ip_uint); if (local_ip_nr == ip_uint) { EXPECT_EQ(is_valid, 1); EXPECT_EQ(entry_id, 101); } } void maat_read_entry_finish_cb(void *u_para) { } class PluginTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_DEBUG); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in PluginTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *PluginTable::_shared_maat_inst; struct log_handle *PluginTable::logger; TEST_F(PluginTable, Callback) { const char *table_name = "QD_ENTRY_INFO"; struct maat *maat_inst = PluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); int ret = maat_table_callback_register(maat_inst, table_id, maat_read_entry_start_cb, maat_read_entry_cb, maat_read_entry_finish_cb, maat_inst); EXPECT_EQ(ret, 0); } struct plugin_ud { char key[32]; char value[32]; int id; }; void plugin_EX_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; int valid = 0, tag = 0; struct plugin_ud *ud = ALLOC(struct plugin_ud, 1); int ret = sscanf(table_line, "%d\t%s\t%s\t%d\t%d", &(ud->id), ud->key, ud->value, &valid, &tag); EXPECT_EQ(ret, 5); *ad = ud; (*counter)++; } void plugin_EX_free_cb(int table_id, void **ad, long argl, void *argp) { struct plugin_ud *ud = (struct plugin_ud *)(*ad); memset(ud, 0, sizeof(struct plugin_ud)); free(ud); *ad = NULL; } void plugin_EX_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct plugin_ud *ud = (struct plugin_ud *)(*from); *to = ud; } TEST_F(PluginTable, EX_DATA) { const char *table_name = "TEST_PLUGIN_EXDATA_TABLE"; struct maat *maat_inst = PluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int plugin_ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, plugin_EX_new_cb, plugin_EX_free_cb, plugin_EX_dup_cb, 0, &plugin_ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(plugin_ex_data_counter, 4); const char *key1 = "HeBei"; struct plugin_ud *ud = NULL; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, key1, strlen(key1)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "Shijiazhuang"); EXPECT_EQ(ud->id, 1); const char *key2 = "ShanDong"; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, key2, strlen(key2)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "Jinan"); EXPECT_EQ(ud->id, 3); } TEST_F(PluginTable, LONG_KEY_TYPE) { const char *table_name = "TEST_PLUGIN_LONG_KEY_TYPE_TABLE"; struct maat *maat_inst = PluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int plugin_ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, plugin_EX_new_cb, plugin_EX_free_cb, plugin_EX_dup_cb, 0, &plugin_ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(plugin_ex_data_counter, 4); long long key1 = 11111111; struct plugin_ud *ud = NULL; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key1, sizeof(long long)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "Shijiazhuang"); EXPECT_EQ(ud->id, 1); long long key2 = 33333333; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key2, sizeof(long long)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "Jinan"); EXPECT_EQ(ud->id, 3); int key3 = 22222222; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key3, sizeof(key3)); ASSERT_TRUE(ud == NULL); } TEST_F(PluginTable, INT_KEY_TYPE) { const char *table_name = "TEST_PLUGIN_INT_KEY_TYPE_TABLE"; struct maat *maat_inst = PluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int plugin_ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, plugin_EX_new_cb, plugin_EX_free_cb, plugin_EX_dup_cb, 0, &plugin_ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(plugin_ex_data_counter, 4); int key1 = 101; struct plugin_ud *ud = NULL; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key1, sizeof(key1)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "China"); EXPECT_EQ(ud->id, 1); int key2 = 102; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key2, sizeof(key2)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "America"); EXPECT_EQ(ud->id, 2); long long key3 = 103; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&key3, sizeof(key3)); ASSERT_TRUE(ud == NULL); } TEST_F(PluginTable, IP_KEY_TYPE) { const char *table_name = "TEST_PLUGIN_IP_KEY_TYPE_TABLE"; struct maat *maat_inst = PluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int plugin_ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, plugin_EX_new_cb, plugin_EX_free_cb, plugin_EX_dup_cb, 0, &plugin_ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(plugin_ex_data_counter, 4); uint32_t ipv4_addr1; ret = inet_pton(AF_INET, "100.64.1.1", &ipv4_addr1); EXPECT_EQ(ret, 1); struct plugin_ud *ud = NULL; ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&ipv4_addr1, sizeof(ipv4_addr1)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "XiZang"); EXPECT_EQ(ud->id, 4); uint32_t ipv4_addr2; ret = inet_pton(AF_INET, "100.64.1.2", &ipv4_addr2); EXPECT_EQ(ret, 1); ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)&ipv4_addr2, sizeof(ipv4_addr2)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "XinJiang"); EXPECT_EQ(ud->id, 4); uint8_t ipv6_addr1[16]; ret = inet_pton(AF_INET6, "2001:da8:205:1::101", ipv6_addr1); EXPECT_EQ(ret, 1); ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)ipv6_addr1, sizeof(ipv6_addr1)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "GuiZhou"); EXPECT_EQ(ud->id, 6); uint8_t ipv6_addr2[16]; ret = inet_pton(AF_INET6, "1001:da8:205:1::101", ipv6_addr2); EXPECT_EQ(ret, 1); ud = (struct plugin_ud *)maat_plugin_table_get_ex_data(maat_inst, table_id, (char *)ipv6_addr2, sizeof(ipv6_addr2)); ASSERT_TRUE(ud != NULL); EXPECT_STREQ(ud->value, "SiChuan"); EXPECT_EQ(ud->id, 6); } class IPPluginTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in IPPluginTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *IPPluginTable::_shared_maat_inst; struct log_handle *IPPluginTable::logger; struct ip_plugin_ud { long long rule_id; char *buffer; size_t buf_len; }; void ip_plugin_ex_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; size_t column_offset=0, column_len=0; struct ip_plugin_ud *ud = ALLOC(struct ip_plugin_ud, 1); int ret = get_column_pos(table_line, 1, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->rule_id = atoll(table_line + column_offset); ret = get_column_pos(table_line, 4, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->buffer = ALLOC(char, column_len + 1); strncpy(ud->buffer, table_line + column_offset, column_len); ud->buf_len = column_len + 1; *ad = ud; (*counter)++; } void ip_plugin_ex_free_cb(int table_id, void **ad, long argl, void *argp) { struct ip_plugin_ud *ud = (struct ip_plugin_ud *)(*ad); ud->rule_id = 0; memset(ud->buffer, 0, ud->buf_len); ud->buf_len = 0; free(ud->buffer); free(ud); *ad = NULL; } void ip_plugin_ex_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct ip_plugin_ud *ud = (struct ip_plugin_ud *)(*from); *to = ud; } TEST_F(IPPluginTable, EX_DATA) { int ip_plugin_ex_data_counter = 0; const char *table_name = "TEST_IP_PLUGIN_WITH_EXDATA"; struct maat *maat_inst = IPPluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, ip_plugin_ex_new_cb, ip_plugin_ex_free_cb, ip_plugin_ex_dup_cb, 0, &ip_plugin_ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(ip_plugin_ex_data_counter, 5); struct ip_addr ipv4; ipv4.ip_type = IPv4; ret = inet_pton(AF_INET, "192.168.30.100", &ipv4.ipv4); EXPECT_EQ(ret, 1); struct ip_plugin_ud *results[ARRAY_SIZE]; ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv4, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 2); EXPECT_EQ(results[0]->rule_id, 101); EXPECT_EQ(results[1]->rule_id, 102); struct ip_addr ipv6; ipv6.ip_type = IPv6; inet_pton(AF_INET6, "2001:db8:1234::5210", &(ipv6.ipv6)); memset(results, 0, sizeof(results)); ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv6, (void**)results, ARRAY_SIZE); EXPECT_EQ(ret, 2); EXPECT_EQ(results[0]->rule_id, 104); EXPECT_EQ(results[1]->rule_id, 103); //Reproduce BugReport-Liumengyan-20210515 inet_pton(AF_INET6, "240e:97c:4010:104::17", &(ipv6.ipv6)); ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv6, (void**)results, ARRAY_SIZE); EXPECT_EQ(ret, 0); } class IPPortPluginTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in IPPortPluginTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *IPPortPluginTable::_shared_maat_inst; struct log_handle *IPPortPluginTable::logger; struct ipport_plugin_ud { long long rule_id; char *buffer; size_t buf_len; }; void ipport_plugin_ex_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; size_t column_offset=0, column_len=0; struct ipport_plugin_ud *ud = ALLOC(struct ipport_plugin_ud, 1); int ret = get_column_pos(table_line, 1, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->rule_id = atoll(table_line + column_offset); ret = get_column_pos(table_line, 5, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->buffer = ALLOC(char, column_len + 1); strncpy(ud->buffer, table_line + column_offset, column_len); ud->buf_len = column_len + 1; *ad = ud; (*counter)++; } void ipport_plugin_ex_free_cb(int table_id, void **ad, long argl, void *argp) { struct ipport_plugin_ud *ud = (struct ipport_plugin_ud *)(*ad); ud->rule_id = 0; memset(ud->buffer, 0, ud->buf_len); ud->buf_len = 0; free(ud->buffer); free(ud); *ad = NULL; } void ipport_plugin_ex_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct ipport_plugin_ud *ud = (struct ipport_plugin_ud *)(*from); *to = ud; } TEST_F(IPPortPluginTable, EX_DATA) { int ex_data_counter = 0; const char *table_name = "TEST_IPPORT_PLUGIN_WITH_EXDATA"; struct maat *maat_inst = IPPortPluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, ipport_plugin_ex_new_cb, ipport_plugin_ex_free_cb, ipport_plugin_ex_dup_cb, 0, &ex_data_counter); EXPECT_EQ(ret, 0); EXPECT_EQ(ex_data_counter, 4); struct ip_addr ipv4; ipv4.ip_type = IPV4; ret = inet_pton(AF_INET, "192.168.100.1", &ipv4.ipv4); EXPECT_EQ(ret, 1); uint16_t port = htons(255); struct ipport_plugin_ud *results[ARRAY_SIZE]; ret = maat_ipport_plugin_table_get_ex_data(maat_inst, table_id, &ipv4, port, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 1); EXPECT_EQ(results[0]->rule_id, 103); struct ip_addr ipv6; ipv6.ip_type = IPv6; inet_pton(AF_INET6, "2001:db8:1234::5210", ipv6.ipv6); memset(results, 0, sizeof(results)); ret = maat_ipport_plugin_table_get_ex_data(maat_inst, table_id, &ipv6, port, (void**)results, ARRAY_SIZE); EXPECT_EQ(ret, 1); EXPECT_EQ(results[0]->rule_id, 104); inet_pton(AF_INET6, "240e:97c:4010:104::17", ipv6.ipv6); ret = maat_ipport_plugin_table_get_ex_data(maat_inst, table_id, &ipv6, port, (void**)results, ARRAY_SIZE); EXPECT_EQ(ret, 0); } class FQDNPluginTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in FQDNPluginTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *FQDNPluginTable::_shared_maat_inst; struct log_handle *FQDNPluginTable::logger; #define FQDN_PLUGIN_EX_DATA struct fqdn_plugin_ud { int rule_id; int catid; }; void fqdn_plugin_ex_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; size_t column_offset = 0, column_len = 0; struct fqdn_plugin_ud *ud = ALLOC(struct fqdn_plugin_ud, 1); int ret = get_column_pos(table_line, 1, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->rule_id = atoi(table_line + column_offset); ret = get_column_pos(table_line, 3, &column_offset, &column_len); EXPECT_EQ(ret, 0); sscanf(table_line + column_offset, "catid=%d", &ud->catid); *ad = ud; (*counter)++; } void fqdn_plugin_ex_free_cb(int table_id, void **ad, long argl, void *argp) { struct fqdn_plugin_ud *u = (struct fqdn_plugin_ud *)(*ad); u->rule_id = 0; u->catid = 0; free(u); *ad = NULL; } void fqdn_plugin_ex_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct fqdn_plugin_ud *u = (struct fqdn_plugin_ud *)(*from); *to = u; } TEST_F(FQDNPluginTable, EX_DATA) { const char *table_name = "TEST_FQDN_PLUGIN_WITH_EXDATA"; struct maat *maat_inst = FQDNPluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int fqdn_plugin_ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, fqdn_plugin_ex_new_cb, fqdn_plugin_ex_free_cb, fqdn_plugin_ex_dup_cb, 0, &fqdn_plugin_ex_data_counter); ASSERT_TRUE(ret>=0); EXPECT_EQ(fqdn_plugin_ex_data_counter, 5); struct fqdn_plugin_ud *result[4]; ret = maat_fqdn_plugin_table_get_ex_data(maat_inst, table_id, "www.example1.com", (void**)result, 4); ASSERT_EQ(ret, 2); EXPECT_EQ(result[0]->rule_id, 201); EXPECT_EQ(result[1]->rule_id, 202); ret = maat_fqdn_plugin_table_get_ex_data(maat_inst, table_id, "www.example3.com", (void**)result, 4); EXPECT_EQ(ret, 0); ret = maat_fqdn_plugin_table_get_ex_data(maat_inst, table_id, "r3---sn-i3belne6.example2.com", (void**)result, 4); ASSERT_EQ(ret, 2); EXPECT_TRUE(result[0]->rule_id == 205 || result[0]->rule_id == 204); } struct bool_plugin_ud { int id; char *name; size_t name_len; }; void bool_plugin_ex_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter=(int *)argp; size_t column_offset=0, column_len=0; struct bool_plugin_ud *ud = ALLOC(struct bool_plugin_ud, 1); int ret = get_column_pos(table_line, 1, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->id = atoi(table_line + column_offset); ret = get_column_pos(table_line, 3, &column_offset, &column_len); EXPECT_EQ(ret, 0); ud->name = ALLOC(char, column_len + 1); memcpy(ud->name, table_line+column_offset, column_len); ud->name_len = column_len + 1; *ad = ud; (*counter)++; } void bool_plugin_ex_free_cb(int table_id, void **ad, long argl, void *argp) { struct bool_plugin_ud *u = (struct bool_plugin_ud *)(*ad); u->id = 0; memset(u->name, 0, u->name_len); u->name_len = 0; free(u->name); free(u); *ad = NULL; } void bool_plugin_ex_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct bool_plugin_ud *u = (struct bool_plugin_ud *)(*from); *to = u; } class BoolPluginTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in BoolPluginTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *BoolPluginTable::_shared_maat_inst; struct log_handle *BoolPluginTable::logger; TEST_F(BoolPluginTable, EX_DATA) { int ex_data_counter = 0; const char *table_name = "TEST_BOOL_PLUGIN_WITH_EXDATA"; struct maat *maat_inst = BoolPluginTable::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, bool_plugin_ex_new_cb, bool_plugin_ex_free_cb, bool_plugin_ex_dup_cb, 0, &ex_data_counter); ASSERT_TRUE(ret >= 0); EXPECT_EQ(ex_data_counter, 6); struct bool_plugin_ud *result[6]; unsigned long long items_1[] = {999}; ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items_1, 1, (void**)result, 6); EXPECT_EQ(ret, 0); unsigned long long items_2[] = {1, 2, 1000}; ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items_2, 3, (void**)result, 6); EXPECT_EQ(ret, 1); EXPECT_EQ(result[0]->id, 301); unsigned long long items_3[]={101, 102, 1000}; ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items_3, 3, (void**)result, 6); EXPECT_EQ(ret, 4); unsigned long long items_4[]={7, 0, 1, 2, 3, 4, 5, 6, 7, 7, 7}; ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items_4, sizeof(items_4)/sizeof(unsigned long long), (void**)result, 6); EXPECT_EQ(ret, 1); EXPECT_EQ(result[0]->id, 305); } class VirtualTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in VirtualTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *VirtualTable::_shared_maat_inst; struct log_handle *VirtualTable::logger; TEST_F(VirtualTable, basic) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = VirtualTable::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); char scan_data[128] = "string1, string2, string3, string4, string5," " string6, string7, string8"; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); EXPECT_EQ(n_hit_result, 0); maat_state_free(state); state = NULL; } class TableSchemaTag : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_hit_path_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in TableSchemaTag failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *TableSchemaTag::_shared_maat_inst; struct log_handle *TableSchemaTag::logger; TEST_F(TableSchemaTag, CompileTable) { const char *compile1_table_name = "COMPILE_DEFAULT"; const char *compile2_table_name = "COMPILE_ALIAS"; const char *compile3_table_name = "COMPILE_CONJUNCTION"; const char *g2c_table_name = "GROUP2COMPILE"; struct maat *maat_inst = TableSchemaTag::_shared_maat_inst; //COMPILE_DEFAULT int compile1_table_id = maat_get_table_id(maat_inst, compile1_table_name); EXPECT_EQ(compile1_table_id, 0); const char *tag1 = maat_get_table_schema_tag(maat_inst, compile1_table_id); EXPECT_TRUE(tag1 == NULL); //COMPILE_ALIAS int compile2_table_id = maat_get_table_id(maat_inst, compile2_table_name); EXPECT_EQ(compile2_table_id, 1); const char *tag2 = maat_get_table_schema_tag(maat_inst, compile2_table_id); EXPECT_TRUE(tag2 != NULL); int ret = strcmp(tag2, "{\"compile_alias\": \"compile\"}"); EXPECT_EQ(ret, 0); //COMPILE_CONJUNCTION int compile3_table_id = maat_get_table_id(maat_inst, compile3_table_name); EXPECT_EQ(compile3_table_id, 2); const char *tag3 = maat_get_table_schema_tag(maat_inst, compile3_table_id); EXPECT_TRUE(tag3 != NULL); ret = strcmp(tag3, "{\"compile_conjunction\": \"compile\"}"); EXPECT_EQ(ret, 0); //GROUP2COMPILE int g2c_table_id = maat_get_table_id(maat_inst, g2c_table_name); EXPECT_EQ(g2c_table_id, 3); const char *tag4 = maat_get_table_schema_tag(maat_inst, g2c_table_id); EXPECT_TRUE(tag4 != NULL); ret = strcmp(tag4, "{\"group2compile\": \"group2compile\"}"); EXPECT_EQ(ret, 0); //COMPILE_PLUGIN const char *plugin_table_name = "COMPILE_PLUGIN"; int plugin_table_id = maat_get_table_id(maat_inst, plugin_table_name); EXPECT_EQ(plugin_table_id, 8); const char *tag5 = maat_get_table_schema_tag(maat_inst, plugin_table_id); EXPECT_TRUE(tag5 != NULL); ret = strcmp(tag5, "{\"compile_plugin\": \"plugin\"}"); EXPECT_EQ(ret, 0); //HTTP_REGION const char *region_table_name = "HTTP_REGION"; const char *url_table_name = "HTTP_URL"; const char *host_table_name = "HTTP_HOST"; int region_table_id = maat_get_table_id(maat_inst, region_table_name); EXPECT_EQ(region_table_id, 10); int url_table_id = maat_get_table_id(maat_inst, url_table_name); EXPECT_EQ(url_table_id, 10); int host_table_id = maat_get_table_id(maat_inst, host_table_name); EXPECT_EQ(host_table_id, 10); const char *tag6 = maat_get_table_schema_tag(maat_inst, region_table_id); EXPECT_TRUE(tag6 != NULL); ret = strcmp(tag6, "{\"http_region\": \"expr\"}"); EXPECT_EQ(ret, 0); //HTTP_RESPONSE_KEYWORDS const char *vtable_name = "HTTP_RESPONSE_KEYWORDS"; int vtable_id = maat_get_table_id(maat_inst, vtable_name); EXPECT_EQ(vtable_id, 25); const char *tag7 = maat_get_table_schema_tag(maat_inst, vtable_id); EXPECT_TRUE(tag7 != NULL); ret = strcmp(tag7, "{\"http_response_keywords\": \"virtual\"}"); EXPECT_EQ(ret, 0); //VIRTUAL_IP_PLUS_TABLE const char *vtable1_name = "VIRTUAL_IP_PLUS_TABLE"; int vtable1_id = maat_get_table_id(maat_inst, vtable1_name); EXPECT_EQ(vtable1_id, 28); const char *vtable2_name = "VIRTUAL_IP_PLUS_SOURCE"; int vtable2_id = maat_get_table_id(maat_inst, vtable2_name); EXPECT_EQ(vtable2_id, 28); const char *vtable3_name = "VIRTUAL_IP_PLUS_DESTINATION"; int vtable3_id = maat_get_table_id(maat_inst, vtable3_name); EXPECT_EQ(vtable3_id, 28); const char *tag8 = maat_get_table_schema_tag(maat_inst, vtable1_id); EXPECT_TRUE(tag8 != NULL); ret = strcmp(tag8, "{\"virtual_ip_plus_table\": \"virtual\"}"); EXPECT_EQ(ret, 0); } class CompileTable : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_hit_path_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in CompileTable failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *CompileTable::_shared_maat_inst; struct log_handle *CompileTable::logger; struct rule_ex_param { char name[NAME_MAX]; int id; }; void compile_ex_param_new(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; *ad = NULL; struct rule_ex_param *param = ALLOC(struct rule_ex_param, 1); int compile_id = 0; int service_id = 0; int action = 0; int do_blacklist = 0; int do_log = 0; char tags[1024] = {0}; sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%*[^:]:%[^,],%d", &compile_id, &service_id, &action, &do_blacklist, &do_log, tags, param->name, &(param->id)); (*counter)++; *ad = param; } void compile_ex_param_free(int table_id, void **ad, long argl, void *argp) { if (*ad == NULL) { return; } struct rule_ex_param *param = (struct rule_ex_param *)*ad; memset(param, 0, sizeof(struct rule_ex_param)); free(param); } void compile_ex_param_dup(int table_id, void **to, void **from, long argl, void *argp) { struct rule_ex_param *from_param = *((struct rule_ex_param **)from); *((struct rule_ex_param**)to) = from_param; } TEST_F(CompileTable, CompileRuleUpdate) { struct maat *maat_inst = CompileTable::_shared_maat_inst; const char *compile_table_name = "COMPILE_DEFAULT"; long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); } TEST_F(CompileTable, Conjunction1) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "i.ytimg.com/vi/OtCNcustg_I/hqdefault.jpg?sqp=-oaymwEZCNAC" "ELwBSFXyq4qpAwsIARUAAIhCGAFwAQ==&rs=AOn4CLDOp_5fHMaCA9XZuJdCRv4DNDorMg"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = CompileTable::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 197); EXPECT_EQ(results[1], 141); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 2); maat_state_free(state); state = NULL; } TEST_F(CompileTable, Conjunction2) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "i.ytimg.com/vi/OtCNcustg_I/hqdefault.jpg?sqp=-oaymwEZCNACELw" "BSFXyq4qpAwsIARUAAIhCGAFwAQ==&rs=AOn4CLDOp_5fHMaCA9XZuJdCRv4DNDorMg"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = CompileTable::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 197); EXPECT_EQ(results[1], 141); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[HIT_PATH_SIZE] = {0}; int n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 2); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); memset(hit_path, 0, sizeof(hit_path)); n_read = maat_state_get_hit_paths(state, hit_path, HIT_PATH_SIZE); EXPECT_EQ(n_read, 4); maat_state_free(state); state = NULL; } class Policy : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); maat_options_set_hit_path_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in Policy failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *Policy::_shared_maat_inst; struct log_handle *Policy::logger; void accept_tags_entry_cb(int table_id, const char *table_line, void *u_para) { int* callback_times = (int *)u_para; char status[32] = {0}; int entry_id = -1, seq = -1; int is_valid = 0; sscanf(table_line, "%d\t%s\t%d\t%d", &seq,status, &entry_id, &is_valid); EXPECT_STREQ(status, "SUCCESS"); (*callback_times)++; } TEST_F(Policy, PluginRuleTags1) { const char *table_name = "TEST_EFFECTIVE_RANGE_TABLE"; struct maat *maat_inst = Policy::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int callback_times=0; int ret = maat_table_callback_register(maat_inst, table_id, NULL, accept_tags_entry_cb, NULL, &callback_times); ASSERT_GE(ret, 0); EXPECT_EQ(callback_times, 5); } void accept_tags_entry2_cb(int table_id, const char *table_line, void *u_para) { int *callback_times = (int *)u_para; (*callback_times)++; } TEST_F(Policy, PluginRuleTags2) { const char *table_name = "IR_INTERCEPT_IP"; struct maat *maat_inst = Policy::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int callback_times = 0; int ret = maat_table_callback_register(maat_inst, table_id, NULL, accept_tags_entry2_cb, NULL, &callback_times); ASSERT_GE(ret, 0); EXPECT_EQ(callback_times, 2); } TEST_F(Policy, CompileRuleTags) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *should_hit = "string bbb should hit"; const char *should_not_hit = "string aaa should not hit"; const char *table_name = "HTTP_URL"; struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, should_not_hit, strlen(should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, table_id, should_hit, strlen(should_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(Policy, CompileEXData) { const char *url = "firewall should hit"; const char *table_name = "HTTP_URL"; const char *plugin_table_name = "COMPILE_FIREWALL_PLUGIN"; const char *conj_compile_table_name = "COMPILE_FIREWALL_CONJUNCTION"; const char *phy_compile_table_name = "COMPILE_FIREWALL_DEFAULT"; const char *expect_name = "I have a name"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); int plugin_table_id = maat_get_table_id(maat_inst, plugin_table_name); int conj_compile_table_id = maat_get_table_id(maat_inst, conj_compile_table_name); int phy_compile_table_id = maat_get_table_id(maat_inst, phy_compile_table_name); int ex_data_counter = 0; int ret = maat_plugin_table_ex_schema_register(maat_inst, plugin_table_name, compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, &ex_data_counter); ASSERT_TRUE(ret == 0); EXPECT_EQ(ex_data_counter, 2); ret = maat_state_set_scan_compile_table(state, conj_compile_table_id); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, url, strlen(url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 198); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int compile_table_ids[ARRAY_SIZE]; ret = maat_state_get_compile_table_ids(state, results, 1, compile_table_ids); EXPECT_EQ(ret, 1); EXPECT_EQ(compile_table_ids[0], phy_compile_table_id); void *ex_data = maat_plugin_table_get_ex_data(maat_inst, plugin_table_id, (char *)&results[0], sizeof(long long)); ASSERT_TRUE(ex_data!=NULL); struct rule_ex_param *param = (struct rule_ex_param *)ex_data; EXPECT_EQ(param->id, 7799); str_unescape(param->name); EXPECT_EQ(strcmp(param->name, expect_name), 0); maat_state_free(state); state = NULL; } TEST_F(Policy, SubGroup) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data = "ceshi6@mailhost.cn"; uint32_t ip_addr; inet_pton(AF_INET,"10.0.6.201", &ip_addr); int table_id = maat_get_table_id(maat_inst, "MAIL_ADDR"); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, "IP_CONFIG"); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(results[0], 153); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); const char *compile_table_name = "COMPILE_DEFAULT"; int phy_compile_table_id = maat_get_table_id(maat_inst, compile_table_name); int compile_table_ids[ARRAY_SIZE]; ret = maat_state_get_compile_table_ids(state, results, 1, compile_table_ids); EXPECT_EQ(ret, 1); EXPECT_EQ(compile_table_ids[0], phy_compile_table_id); maat_state_free(state); } TEST_F(Policy, EvaluationOrder) { const char *url = "cavemancircus.com/2019/12/27/pretty-girls-6/"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, "HTTP_URL"); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, url, strlen(url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 3); EXPECT_EQ(results[0], 166); EXPECT_EQ(results[1], 168); EXPECT_EQ(results[2], 167); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); size_t n_hit_path = maat_state_get_hit_paths(state, hit_path, 128); EXPECT_EQ(n_hit_path, 6); EXPECT_EQ(hit_path[0].vtable_id, table_id); EXPECT_EQ(hit_path[0].sub_group_id, 158); EXPECT_EQ(hit_path[0].top_group_id, 158); EXPECT_EQ(hit_path[0].clause_index, 2); EXPECT_EQ(hit_path[0].compile_id, 168); EXPECT_EQ(hit_path[1].vtable_id, table_id); EXPECT_EQ(hit_path[1].sub_group_id, 157); EXPECT_EQ(hit_path[1].top_group_id, 157); EXPECT_EQ(hit_path[1].clause_index, 0); EXPECT_EQ(hit_path[1].compile_id, 166); EXPECT_EQ(hit_path[2].vtable_id, table_id); EXPECT_EQ(hit_path[2].sub_group_id, 155); EXPECT_EQ(hit_path[2].top_group_id, -1); EXPECT_EQ(hit_path[2].clause_index, -1); EXPECT_EQ(hit_path[2].compile_id, -1); EXPECT_EQ(hit_path[3].vtable_id, table_id); EXPECT_EQ(hit_path[3].sub_group_id, 158); EXPECT_EQ(hit_path[3].top_group_id, 158); EXPECT_EQ(hit_path[3].clause_index, 6); EXPECT_EQ(hit_path[3].compile_id, 168); EXPECT_EQ(hit_path[4].vtable_id, table_id); EXPECT_EQ(hit_path[4].sub_group_id, 158); EXPECT_EQ(hit_path[4].top_group_id, 158); EXPECT_EQ(hit_path[4].clause_index, 1); EXPECT_EQ(hit_path[4].compile_id, 167); EXPECT_EQ(hit_path[5].vtable_id, table_id); EXPECT_EQ(hit_path[5].sub_group_id, 158); EXPECT_EQ(hit_path[5].top_group_id, 158); EXPECT_EQ(hit_path[5].clause_index, 3); EXPECT_EQ(hit_path[5].compile_id, 167); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); uint32_t ip_addr; inet_pton(AF_INET, "192.168.23.23", &ip_addr); table_id = maat_get_table_id(maat_inst, "IP_PLUS_CONFIG"); ASSERT_GT(table_id, 0); memset(results, 0, sizeof(results)); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 165); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(Policy, NotClauseHitPath) { const char *url_table_name = "HTTP_URL"; const char *ip_table_name = "VIRTUAL_IP_CONFIG"; const char *url = "www.youtube.com"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = Policy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int url_table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(url_table_id, 0); int ret = maat_scan_string(maat_inst, url_table_id, url, strlen(url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); uint32_t ip_addr; inet_pton(AF_INET, "192.168.101.101", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 228); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); size_t n_hit_path = maat_state_get_hit_paths(state, hit_path, 128); EXPECT_EQ(n_hit_path, 4); EXPECT_EQ(hit_path[0].Nth_scan, 1); EXPECT_EQ(hit_path[0].vtable_id, url_table_id); EXPECT_EQ(hit_path[0].NOT_flag, 0); EXPECT_EQ(hit_path[0].clause_index, 1); EXPECT_EQ(hit_path[0].sub_group_id, 249); EXPECT_EQ(hit_path[0].top_group_id, 249); EXPECT_EQ(hit_path[0].compile_id, 228); EXPECT_EQ(hit_path[1].Nth_scan, 2); EXPECT_EQ(hit_path[1].vtable_id, ip_table_id); EXPECT_EQ(hit_path[1].NOT_flag, 1); EXPECT_EQ(hit_path[1].clause_index, -1); EXPECT_EQ(hit_path[1].sub_group_id, 100); EXPECT_EQ(hit_path[1].top_group_id, 144); EXPECT_EQ(hit_path[1].compile_id, -1); EXPECT_EQ(hit_path[2].Nth_scan, 2); EXPECT_EQ(hit_path[2].vtable_id, ip_table_id); EXPECT_EQ(hit_path[2].NOT_flag, 1); EXPECT_EQ(hit_path[2].clause_index, -1); EXPECT_EQ(hit_path[2].sub_group_id, 100); EXPECT_EQ(hit_path[2].top_group_id, -1); EXPECT_EQ(hit_path[2].compile_id, -1); EXPECT_EQ(hit_path[3].Nth_scan, 2); EXPECT_EQ(hit_path[3].vtable_id, ip_table_id); EXPECT_EQ(hit_path[3].NOT_flag, 1); EXPECT_EQ(hit_path[3].clause_index, 2); EXPECT_EQ(hit_path[3].sub_group_id, 250); EXPECT_EQ(hit_path[3].top_group_id, 250); EXPECT_EQ(hit_path[3].compile_id, 228); maat_state_free(state); } TEST_F(Policy, ReadColumn) { const char *ip = "192.168.0.1"; const char *tmp = "something"; char line[256] = {0}; size_t offset=0, len=0; snprintf(line, sizeof(line), "1\t%s\t%s", ip, tmp); int ret = maat_helper_read_column(line, 2, &offset, &len); EXPECT_EQ(ret, 0); EXPECT_EQ(0, strncmp(ip, line+offset, len)); ret = maat_helper_read_column(line, 3, &offset, &len); EXPECT_EQ(ret, 0); EXPECT_EQ(0, strncmp(tmp, line+offset, len)); } class TableInfo : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in TableInfo failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *TableInfo::_shared_maat_inst; struct log_handle *TableInfo::logger; TEST_F(TableInfo, Conjunction) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *scan_data = "soq is using table conjunction function." "http://www.3300av.com/novel/27122.txt"; const char *table_name = "HTTP_URL"; const char *conj_table_name = "HTTP_HOST"; struct maat *maat_inst = TableInfo::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int conj_table_id = maat_get_table_id(maat_inst, conj_table_name); ASSERT_GT(conj_table_id, 0); int ret = maat_scan_string(maat_inst, conj_table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], 134); EXPECT_EQ(results[1], 133); ret = maat_scan_not_logic(maat_inst, conj_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class FileTest : public testing::Test { protected: static void SetUpTestCase() { const char *rule_folder = "./ntcrule/full/index"; const char *table_info = "./file_test_tableinfo.conf"; struct maat_options *opts = maat_options_new(); maat_options_set_caller_thread_number(opts, g_thread_num); maat_options_set_instance_name(opts, "files"); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_iris(opts, rule_folder, rule_folder); maat_options_set_rule_update_checking_interval_ms(opts, 500); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); _shared_maat_inst = maat_new(opts, table_info); maat_options_free(opts); EXPECT_TRUE(_shared_maat_inst != NULL); } static void TearDownTestCase() { maat_free(_shared_maat_inst); } static struct maat *_shared_maat_inst; }; struct maat *FileTest::_shared_maat_inst; TEST_F(FileTest, StreamFiles) { const char test_data_dir[64] = "./test_streamfiles"; const char *table_name = "NTC_HTTP_REQ_BODY"; int thread_id = 0; struct maat *maat_inst = FileTest::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); struct dirent **name_list; int n = my_scandir(test_data_dir, &name_list, NULL, (int (*)(const void*, const void*))alphasort); ASSERT_GT(n, 0); struct maat_stream *stream = maat_stream_new(maat_inst, table_id, state); ASSERT_FALSE(stream == NULL); struct stat file_info; size_t file_size = 0; char file_path[PATH_MAX] = {0}; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int hit_cnt = 0; for (int i = 0; i < n; i++) { if ((strcmp(name_list[i]->d_name, ".") == 0) || (strcmp(name_list[i]->d_name, "..") == 0)) { continue; } snprintf(file_path, sizeof(file_path), "%s/%s", test_data_dir, name_list[i]->d_name); int ret = stat(file_path, &file_info); ASSERT_TRUE(ret == 0); file_size = file_info.st_size; char *buff = ALLOC(char, file_size + 1); FILE *fp = fopen(file_path, "rb"); if (fp == NULL) { printf("fopen %s error.\n", file_path); continue; } int read_len = fread(buff, 1, file_size, fp); ret = maat_stream_scan(stream, buff, read_len, results, ARRAY_SIZE, &n_hit_result, state); read_len = fread(buff, 1, sizeof(buff), fp); if (ret > 0) { hit_cnt++; } fclose(fp); free(buff); buff = NULL; } maat_state_free(state); state = NULL; maat_stream_free(stream); EXPECT_GT(hit_cnt, 0); for (int i = 0; i < n; i++) { free(name_list[i]); } free(name_list); } class GroupHierarchy : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in GroupHierarchy failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *GroupHierarchy::_shared_maat_inst; struct log_handle *GroupHierarchy::logger; TEST_F(GroupHierarchy, VirtualOfOnePhysical) { const char *http_content = "Batman\\:Take me Home.Superman/:Fine,stay with me."; const char *http_url = "https://blog.csdn.net/littlefang/article/details/8213058"; const char *url_table_name = "HTTP_URL"; const char *keywords_table_name = "HTTP_RESPONSE_KEYWORDS"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = GroupHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, url_table_name); ASSERT_GT(table_id, 0); int ret = maat_scan_string(maat_inst, table_id, http_url, strlen(http_url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, keywords_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_string(maat_inst, table_id, http_content, strlen(http_content), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 160); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); const char *should_not_hit = "2018-10-05 is a keywords of table " "KEYWORDS_TABLE. Should not hit."; ret = maat_scan_string(maat_inst, table_id, should_not_hit, strlen(should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(GroupHierarchy, VirtualWithVirtual) { const char *http_req_hdr_ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) " "AppleWebKit/537.36 (KHTML, like Gecko) " "Chrome/78.0.3904.108 Safari/537.36"; const char *http_resp_hdr_cookie = "uid=12345678;BDORZ=B490B5EBF6F3CD402E515D22BCDA1598; sugstore=1;"; const char *req_table_name = "HTTP_REQUEST_HEADER"; const char *res_table_name = "HTTP_RESPONSE_HEADER"; const char *district_str1 = "User-Agent"; const char *district_str2 = "Cookie"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = GroupHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, req_table_name); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_req_hdr_ua, strlen(http_req_hdr_ua), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, res_table_name); ASSERT_GT(table_id, 0); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 162); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(GroupHierarchy, OneGroupInTwoVirtual) { const char *http_resp_hdr_cookie = "sessionid=888888;BDORZ=B490B5EBF6F3CD402E515D22BCDA1598; sugstore=1;"; const char *req_table_name = "HTTP_REQUEST_HEADER"; const char *res_table_name = "HTTP_RESPONSE_HEADER"; const char *district_str1 = "Cookie"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = GroupHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, req_table_name); ASSERT_GT(table_id, 0); int ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, res_table_name); ASSERT_GT(table_id, 0); ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 163); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(GroupHierarchy, MultiGroupsInOneClause) { const char *src_asn1 = "AS1234"; const char *src_asn2 = "AS6789"; const char *src_asn3 = "AS9001"; const char *dst_asn = "AS2345"; const char *src_asn_table_name = "SOURCE_IP_ASN"; const char *dst_asn_table_name = "DESTINATION_IP_ASN"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = GroupHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); //-------------------------------------- // Source ASN1 & Dest ASN //-------------------------------------- int src_table_id = maat_get_table_id(maat_inst, src_asn_table_name); ASSERT_GT(src_table_id, 0); int ret = maat_scan_string(maat_inst, src_table_id, src_asn1, strlen(src_asn1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int dst_table_id = maat_get_table_id(maat_inst, dst_asn_table_name); ASSERT_GT(dst_table_id, 0); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 178); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //-------------------------------------- // Source ASN2 & Dest ASN //-------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn2, strlen(src_asn2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 178); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //-------------------------------------- // Source ASN3 & Dest ASN //-------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn3, strlen(src_asn3), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, src_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_string(maat_inst, dst_table_id, dst_asn, strlen(dst_asn), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 178); ret = maat_scan_not_logic(maat_inst, dst_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(GroupHierarchy, MultiLiteralsInOneClause) { const char *src_asn1 = "AS1234"; const char *src_asn2 = "AS6789"; const char *my_county = "Greece.Sparta"; const char *ip_table_name = "IP_CONFIG"; const char *src_asn_table_name = "SOURCE_IP_ASN"; const char *ip_geo_table_name = "SOURCE_IP_GEO"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = GroupHierarchy::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int src_table_id = maat_get_table_id(maat_inst, src_asn_table_name); ASSERT_GT(src_table_id, 0); int ip_geo_table_id = maat_get_table_id(maat_inst, ip_geo_table_name); ASSERT_GT(ip_geo_table_id, 0); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); //-------------------------------------- // Source ASN1 & IP //-------------------------------------- int ret = maat_scan_string(maat_inst, src_table_id, src_asn1, strlen(src_asn1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); uint32_t ip_addr; inet_pton(AF_INET, "192.168.40.88", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 180); maat_state_reset(state); //-------------------------------------- // IP Geo & IP //-------------------------------------- ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 180); maat_state_reset(state); //-------------------------------------- // (Source ASN2 | IP Geo) & IP //-------------------------------------- ret = maat_scan_string(maat_inst, src_table_id, src_asn2, strlen(src_asn2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_string(maat_inst, ip_geo_table_id, my_county, strlen(my_county), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 180); maat_state_free(state); state = NULL; } class MaatCmd : public testing::Test { protected: static void SetUpTestCase() { char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_FATAL); maat_options_set_hit_path_enabled(opts); maat_options_set_hit_group_enabled(opts); _shared_maat_inst = maat_new(opts, g_table_info_path); assert(_shared_maat_inst != NULL); maat_cmd_flushDB(_shared_maat_inst); maat_free(_shared_maat_inst); maat_options_set_foreign_cont_dir(opts, "./foreign_files/"); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); _ex_data_counter = ALLOC(int, 1); } static void TearDownTestCase() { maat_free(_shared_maat_inst); FREE(_ex_data_counter); } static struct maat *_shared_maat_inst; static int *_ex_data_counter; }; struct maat *MaatCmd::_shared_maat_inst; int *MaatCmd::_ex_data_counter; TEST_F(MaatCmd, SetIP) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *ip_table_name = "IP_CONFIG"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); maat_reload_log_level(maat_inst, LOG_LEVEL_INFO); /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); /* item table add line */ const char *ip1 = "172.0.0.1"; long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item_id, group_id, ip1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); uint32_t sip; ret = inet_pton(AF_INET, ip1, &sip); EXPECT_EQ(ret, 1); int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GE(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, sip, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, SetExpr) { const char *scan_data = "Hiredis is a minimalistic C client library" " for the Redis database.\r\n"; const char *table_name = "HTTP_URL"; const char *keywords1 = "Hiredis"; const char *keywords2 = "C Client"; const char *compile_table_name = "COMPILE_DEFAULT"; char escape_buff1[256], escape_buff2[256]; char keywords[512]; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); str_escape(escape_buff1, sizeof(escape_buff1), keywords1); str_escape(escape_buff2, sizeof(escape_buff2), keywords2); snprintf(keywords, sizeof(keywords), "%s&%s", escape_buff1, escape_buff2); long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 2); test_add_expr_command(maat_inst, table_name, compile_id - 1, 0, keywords); test_add_expr_command(maat_inst, table_name, compile_id, 0, keywords); sleep(WAIT_FOR_EFFECTIVE_S); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); memset(results, 0, sizeof(results)); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_TRUE(results[0] == compile_id || results[0] == (compile_id - 1)); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id-1, "null", 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); int timeout = 1; compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); test_add_expr_command(maat_inst, table_name, compile_id, timeout, keywords); sleep(timeout + 1); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, SetExpr8) { const char *scan_data8 = "string1, string2, string3, string4, string5, string6, string7, string8"; const char *scan_data7 = "string1, string2, string3, string4, string5, string6, string7"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *table_name = "KEYWORDS_TABLE"; const char *keywords8 = "string1&string2&string3&string4&string5&string6&string7&string8"; const char *keywords7 = "string1&string2&string3&string4&string5&string6&string7"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); /* EXPR_TYPE_AND MATCH_METHOD_SUB */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords8, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); ret = maat_scan_string(maat_inst, table_id, scan_data8, strlen(scan_data8), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_DEL, item_id, group_id, keywords8, NULL, 1, 0, 0, 0); EXPECT_EQ(ret, 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group_id, keywords7, NULL, 1, 0, 0, 0); sleep(WAIT_FOR_EFFECTIVE_S); memset(&results, 0, sizeof(results)); ret = maat_scan_string(maat_inst, table_id, scan_data7, strlen(scan_data7), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, GroupScan) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; const char *table_name = "HTTP_URL"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GE(table_id, 0); /* compile table add line */ long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); struct maat_hit_group hit_group; hit_group.group_id = group_id; hit_group.vtable_id = table_id; ret = maat_scan_group(maat_inst, table_id, &hit_group, 1, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); maat_state_free(state); state = NULL; } /** * Filter such as URL: http://filtermenot.com => {vtable_id, group_id} One compile reference this filter twice, the compile should be hit. */ TEST_F(MaatCmd, SameFilterRefByOneCompile) { const char *vtable_name = "HTTP_URL_FILTER"; const char *scan_data = "http://filtermenot.com"; const char *keywords = "menot.com"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, vtable_name); ASSERT_GT(table_id, 0); long long compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id, "null", 2, 0); // compile has two clause EXPECT_EQ(ret, 1); //clause1 & clause2 has same filter => {vtable_id, group_id} long long group_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, vtable_name, 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group_id, compile_id, 0, vtable_name, 2, 0); EXPECT_EQ(ret, 1); long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, "HTTP_URL", MAAT_OP_ADD, item_id, group_id, keywords, "null", 1, 0, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, RuleIDRecycle) { const char *table_name = "HTTP_URL"; const char *scan_data = "Reuse rule ID is allowed."; const char *keywords = "Reuse&rule"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long rule_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); test_add_expr_command(maat_inst, table_name, rule_id, 0, keywords); sleep(WAIT_FOR_EFFECTIVE_S); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], rule_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); del_command(maat_inst, rule_id); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); test_add_expr_command(maat_inst, table_name, rule_id, 0, keywords); sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], rule_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, ReturnRuleIDWithDescendingOrder) { const char *table_name = "HTTP_URL"; const char *scan_data = "This string will hit mulptiple rules."; const char *keywords = "string\\bwill\\bhit"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int i = 0; int repeat_times = 4; long long expect_rule_id[ARRAY_SIZE] = {0}; long long rule_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", repeat_times); for (i = 0; i < repeat_times; i++) { //add in ascending order expect_rule_id[i] = rule_id + 1 - repeat_times + i; test_add_expr_command(maat_inst, table_name, expect_rule_id[i], 0, keywords); } sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, repeat_times); for (i = 0; i < repeat_times; i++) { EXPECT_EQ(results[i], expect_rule_id[repeat_times -i - 1]); } ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); } TEST_F(MaatCmd, SubGroup) { const char *table_name = "HTTP_URL"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *g2g_table_name = "GROUP2GROUP"; const char *scan_data1 = "www.v2ex.com/t/573028#程序员的核心竞争力是什么"; const char *keyword1 = "程序员&核心竞争力"; const char *scan_data2 = "https://ask.leju.com/bj/detail/12189672562229248/?bi=tg&type=sina-pc" "&pos=index-dbtlwzl&wt_campaign=M_5CE750003F393&wt_source=PDPS_514ACACFD9E770"; const char *keyword2 = "ask.leju.com/b&/detail/12189672562229248/?&?bi=tg\\&type=sina-pc\\&&\\&pos=" "index-dbtlwzl\\&&\\&type=sina-pc\\&pos=index-dbtlwzl\\&"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); /* compile table add line */ //compile1 long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //compile2 long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "null", 1, 0); EXPECT_EQ(ret, 1); /* group2compile table add line */ //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile2 ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile2_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); //group2 -> group1 -> compile1 long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group1_id, group2_id, 0); EXPECT_EQ(ret, 1); /* item1 -> group2 -> group1 -> compile1 \ \ _ compile2 */ long long item_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item_id, group2_id, keyword1, NULL, 1, 0, 0, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], compile2_id); EXPECT_EQ(results[1], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* item1 -> group2 -> group1 -> compile1 \ \_ X -> compile2 */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group1_id, compile2_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* item1 -> group2 -> group1 -> X \ \_ -> compile2 */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile2_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile2_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* item1 -> group2 -> group1 -> X \ \_ -> compile2 item2 -> group3 */ long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group1_id, group3_id, 0); EXPECT_EQ(ret, 1); long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item2_id, group3_id, keyword2, NULL, 1, 0, 0, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ sleep(2); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* item1 -> group2 -> group1 -> X \ \_ -> compile2 item2 -> group3 */ ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile2_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, RefGroup) { const char *table_name = "HTTP_URL"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* scan_data1 = "m.facebook.com/help/2297503110373101?helpref=hc_nav&refid=69"; const char* keyword1 = "something-should-not-hit"; const char* keyword2 = "facebook.com/help/2297503110373101"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); //TODO: value=0 MAAT_OPT_ENABLE_UPDATE long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item1_id, group1_id, keyword1, NULL, 1, 0, 0, 0); /* EXPR_TYPE_AND MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); /* item1 -> group1 -> X -> compile1 / / item2 -> group2 */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item2_id, group2_id, keyword2, NULL, 1, 0, 0, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group1_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, VirtualTable) { const char* compile_table_name = "COMPILE_DEFAULT"; const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* table_name="HTTP_SIGNATURE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, "HTTP_REQUEST_HEADER", 1, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item1_id, group1_id, "AppleWebKit", "User-Agent", 0, 0, 0, 0);/*EXPR_TYPE_STRING MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group2_/ */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, "HTTP_RESPONSE_HEADER", 2, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_name, MAAT_OP_ADD, item2_id, group2_id, "uid=12345678;", "Cookie", 0, 0, 0, 0);/*EXPR_TYPE_STRING MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); const char* http_req_hdr_ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 " "(KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"; const char* http_resp_hdr_cookie = "uid=12345678;BDORZ=B490B5EBF6F3CD402E515D22BCDA1598; sugstore=1;"; const char *district_str1 = "User-Agent"; const char *district_str2 = "Cookie"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, "HTTP_REQUEST_HEADER"); ASSERT_GT(table_id, 0); ret = maat_state_set_scan_district(state, table_id, district_str1, strlen(district_str1)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_req_hdr_ua, strlen(http_req_hdr_ua), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(table_id, 0); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); //delete group1 ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group1_id, compile1_id, 0, "HTTP_REQUEST_HEADER", 1, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(table_id, 0); ret = maat_state_set_scan_district(state, table_id, district_str2, strlen(district_str2)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, SetLines) { int i = 0; const int TEST_CMD_LINE_NUM = 4; const char *table_name = "QD_ENTRY_INFO"; struct maat_cmd_line line_rule; struct maat *maat_inst = MaatCmd::_shared_maat_inst; long long expect_rule_id[TEST_CMD_LINE_NUM] = {0}; const char *table_line_add[TEST_CMD_LINE_NUM] = { "1\t192.168.0.1\t100\t1", "1\t192.168.0.1\t101\t1", "1\t192.168.0.1\t102\t1", "1\t192.168.0.1\t103\t1", }; const char *table_line_del[TEST_CMD_LINE_NUM] = { "1\t192.168.0.1\t100\t0", "1\t192.168.0.1\t101\t0", "1\t192.168.0.1\t102\t0", "1\t192.168.0.1\t103\t0", }; int ret = 0; for (i = 0; i < TEST_CMD_LINE_NUM; i++) { expect_rule_id[i] = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.rule_id = expect_rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_add[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); line_rule.rule_id = expect_rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_del[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } } int g_test_update_paused = 0; void pause_update_test_entry_cb(int table_id,const char* table_line,void* u_para) { char status[32] = {0}; int entry_id = -1, seq = -1; int is_valid = 0; sscanf(table_line, "%d\t%s\t%d\t%d", &seq, status, &entry_id, &is_valid); EXPECT_EQ(g_test_update_paused, 0); } TEST_F(MaatCmd, PauseUpdate) { struct maat *maat_inst = MaatCmd::_shared_maat_inst; const char *table_name = "QD_ENTRY_INFO"; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_table_callback_register(maat_inst, table_id, NULL, pause_update_test_entry_cb, NULL, NULL); //TODO: value = 0 MAAT_OPT_ENABLE_UPDATE g_test_update_paused = 1; char *line = NULL; struct maat_cmd_line line_rule; line_rule.rule_id = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.table_name = table_name; asprintf(&line, "1\t192.168.0.1\t101\t1"); line_rule.table_line = line; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_EQ(ret, 1); free(line); g_test_update_paused = 0; //TODO: value = 1 MAAT_OPT_ENABLE_UPDATE } void prepare_file_to_set(const char* filename, char** file_buff, size_t *file_size, char* file_key, size_t key_size) { int i=0; struct stat file_info; unsigned char md5[MD5_DIGEST_LENGTH]; char md5string[2*MD5_DIGEST_LENGTH+1]; memset(md5, 0, sizeof(md5)); memset(md5string, 0, sizeof(md5string)); int ret = stat(filename, &file_info); ASSERT_TRUE(ret == 0); FILE *fp=fopen(filename,"r"); ASSERT_FALSE(fp == NULL); *file_size = file_info.st_size; *file_buff = ALLOC(char, *file_size + 1); ret = fread(*file_buff, 1, *file_size, fp); fclose(fp); MD5((const unsigned char *)(*file_buff), (unsigned long)(*file_size), md5); for (i = 0; i < MD5_DIGEST_LENGTH; ++i) { sprintf(&md5string[i*2], "%02x", (unsigned int)md5[i]); } snprintf(file_key, key_size, "__FILE_%s", md5string); } int is_same_file(const char *filename1, const char *filename2) { char md5string[2][MD5_DIGEST_LENGTH*2+1]; memset(md5string, 0, sizeof(md5string)); md5_file(filename1, md5string[0]); md5_file(filename2, md5string[1]); if (0 == strcmp(md5string[0], md5string[1])) { return 1; } else { return 0; } } int g_test_foregin_read_OK = 0, g_test_foreign_del_OK = 0; char file1_to_del[256], file2_to_del[256]; const char* empty_file_name = "An_empty_file"; void foreign_key_test_entry_cb(int table_id, const char *table_line, void *u_para) { int rule_id=-1, not_care=0, tag=0; int is_valid=0; char file1_origin_name[256], file2_origin_name[256]; char file1_localname[256], file2_localname[256]; char end[16]; memset(file1_localname, 0, sizeof(file1_localname)); memset(file2_localname, 0, sizeof(file2_localname)); sscanf(table_line, "%d\t%d\t%d\t%d\t%s\t%s\t\%s\t%s\t%s", &rule_id, ¬_care, &tag, &is_valid, file1_origin_name, file1_localname, file2_origin_name, file2_localname, end); EXPECT_STREQ(end, "End"); if (is_valid == 1) { EXPECT_TRUE(is_same_file(file1_origin_name, file1_localname)); if (0 == strncmp(file2_origin_name, empty_file_name, strlen(empty_file_name))) { EXPECT_TRUE(0==strncasecmp(file2_localname, "null", strlen("null"))); } else { EXPECT_TRUE(is_same_file(file2_origin_name, file2_localname)); } g_test_foregin_read_OK = 1; } else { strcpy(file1_to_del, file1_localname); strcpy(file2_to_del, file2_localname); g_test_foreign_del_OK = 1; } } TEST_F(MaatCmd, SetFile) { struct maat *maat_inst = MaatCmd::_shared_maat_inst; const char* table_name = "TEST_FOREIGN_KEY"; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int ret = maat_table_callback_register(maat_inst, table_id, NULL, foreign_key_test_entry_cb, NULL, NULL); EXPECT_EQ(ret, 0); const char *file1_name = "./testdata/digest_test.data"; const char *file2_name = "./testdata/mesa_logo.jpg"; char *file_buff = NULL, file1_key[256], file2_key[256]; size_t file_size = 0; prepare_file_to_set(file1_name, &file_buff, &file_size, file1_key, sizeof(file1_key)); ret = maat_cmd_set_file(maat_inst, file1_key, file_buff, file_size, MAAT_OP_ADD); EXPECT_EQ(ret, 1); free(file_buff); file_buff = NULL; prepare_file_to_set(file2_name, &file_buff, &file_size, file2_key, sizeof(file2_key)); ret = maat_cmd_set_file(maat_inst, file2_key, file_buff, file_size, MAAT_OP_ADD); EXPECT_EQ(ret, 1); free(file_buff); file_buff = NULL; g_test_foregin_read_OK = 0; char line[1024] = {0}; int tag = 0; struct maat_cmd_line line_rule; line_rule.rule_id = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.table_name = table_name; snprintf(line, sizeof(line),"%lld\t2\t%d\t1\t%s\tredis://%s\t%s\tredis://%s\tEnd", line_rule.rule_id, tag, file1_name, file1_key, file2_name, file2_key); line_rule.table_line = line; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S);//wait for callback triggered. EXPECT_EQ(g_test_foregin_read_OK, 1); g_test_foreign_del_OK = 0; ret = maat_cmd_set_file(maat_inst, file1_key, NULL, 0, MAAT_OP_DEL); EXPECT_EQ(ret, 1); ret = maat_cmd_set_file(maat_inst, file2_key, NULL, 0, MAAT_OP_DEL); EXPECT_EQ(ret, 1); struct maat_cmd_line line_rule_del; line_rule_del.rule_id = line_rule.rule_id; line_rule_del.table_name = line_rule.table_name; memset(line, 0, sizeof(line)); snprintf(line, sizeof(line), "%lld\t2\t%d\t0\t%s\tredis://%s\t%s\tredis://%s\tEnd", line_rule.rule_id, tag, file1_name, file1_key, file2_name, file2_key); line_rule_del.table_line = line; line_rule_del.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule_del); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); struct stat file_info; ret = stat(file1_to_del, &file_info); EXPECT_EQ(ret, -1); ret = stat(file2_to_del, &file_info); EXPECT_EQ(ret, -1); // Test empty file, file key is a string "null". memset(&line_rule, 0, sizeof(line_rule)); memset(line, 0, sizeof(line)); line_rule.rule_id = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.table_name=table_name; snprintf(line, sizeof(line),"%lld\t2\t%d\t1\t%s\tredis://%s\t%s\t%s\tEnd", line_rule.rule_id, tag, file1_name, file1_key, empty_file_name, "null"); line_rule.table_line = line; line_rule.expire_after = 0; g_test_foregin_read_OK = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S);//wait for callback triggered. EXPECT_EQ(g_test_foregin_read_OK, 1); } struct user_info { char name[256]; char ip_addr[32]; int id; }; void plugin_ex_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int *counter = (int *)argp; struct user_info *u = ALLOC(struct user_info, 1); int ret = sscanf(table_line, "%d\t%s\t%s", &(u->id), u->ip_addr, u->name); EXPECT_EQ(ret, 3); *ad = u; (*counter)++; } void plugin_ex_free_cb(int table_id, void **ad, long argl, void *argp) { struct user_info *u = (struct user_info *)(*ad); memset(u, 0, sizeof(struct user_info)); free(u); *ad = NULL; } void plugin_ex_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct user_info *u = (struct user_info *)(*from); *to = u; } TEST_F(MaatCmd, CompileEXData) { const char *plugin_table_name = "COMPILE_FIREWALL_PLUGIN"; const char *compile_table_name = "COMPILE_FIREWALL_DEFAULT"; struct maat *maat_inst = MaatCmd::_shared_maat_inst; int *ex_data_counter = MaatCmd::_ex_data_counter; int plugin_table_id = maat_get_table_id(maat_inst, plugin_table_name); EXPECT_GT(plugin_table_id, 0); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "test:compile1,1111", 1, 0); EXPECT_EQ(ret, 1); long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "test:compile2,2222", 1, 0); sleep(WAIT_FOR_EFFECTIVE_S); *ex_data_counter = 0; ret = maat_plugin_table_ex_schema_register(maat_inst, plugin_table_name, compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, ex_data_counter); ASSERT_TRUE(ret == 0); EXPECT_EQ(*ex_data_counter, 2); void *ex_data = maat_plugin_table_get_ex_data(maat_inst, plugin_table_id, (char *)&compile1_id, sizeof(long long)); ASSERT_TRUE(ex_data != NULL); struct rule_ex_param *param = (struct rule_ex_param *)ex_data; EXPECT_EQ(param->id, 1111); ex_data = maat_plugin_table_get_ex_data(maat_inst, plugin_table_id, (char *)&compile2_id, sizeof(long long)); ASSERT_TRUE(ex_data != NULL); param = (struct rule_ex_param *)ex_data; EXPECT_EQ(param->id, 2222); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile2_id, "test:compile2,2222", 1, 0); sleep(WAIT_FOR_EFFECTIVE_S); EXPECT_EQ(param->id, 2222); sleep(2); //excced gc_timeout_s(3s), the data pointed by param has been freed } TEST_F(MaatCmd, PluginEXData) { const char *table_name = "TEST_PLUGIN_EXDATA_TABLE"; const int TEST_CMD_LINE_NUM = 4; struct maat *maat_inst = MaatCmd::_shared_maat_inst; int *ex_data_counter = MaatCmd::_ex_data_counter; const char *table_line_add[TEST_CMD_LINE_NUM] = { "1\t192.168.0.1\tmahuateng\t1\t0", "2\t192.168.0.2\tliuqiangdong\t1\t0", "3\t192.168.0.3\tmayun\t1\t0", "4\t192.168.0.4\tliyanhong\t1\t0" }; const char *table_line_del[TEST_CMD_LINE_NUM] = { "1\t192.168.0.1\tmahuateng\t0\t0", "2\t192.168.0.2\tliuqiangdong\t0\t0", "3\t192.168.0.3\tmayun\t0\t0", "4\t192.168.0.4\tliyanhong\t0\t0" }; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int i = 0, ret = 0; struct maat_cmd_line line_rule; long long rule_id[TEST_CMD_LINE_NUM] = {0}; /* 1st line */ for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); rule_id[i] = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_add[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); *ex_data_counter = 0; ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, plugin_ex_new_cb, plugin_ex_free_cb, plugin_ex_dup_cb, 0, ex_data_counter); ASSERT_TRUE(ret >= 0); EXPECT_EQ(*ex_data_counter, TEST_CMD_LINE_NUM); struct user_info *uinfo1 = NULL; const char *key1 = "192.168.0.2"; uinfo1 = (struct user_info *)maat_plugin_table_get_ex_data(maat_inst, table_id, key1, strlen(key1)); ASSERT_TRUE(uinfo1 != NULL); EXPECT_EQ(0, strcmp(uinfo1->name, "liuqiangdong")); EXPECT_EQ(uinfo1->id, 2); //DEL memset(&line_rule, 0, sizeof(line_rule)); line_rule.rule_id = rule_id[1]; line_rule.table_name = table_name; line_rule.table_line = table_line_del[1]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); sleep(WAIT_FOR_EFFECTIVE_S); //gc_timeout_s == 3 which configured in table_info struct user_info *uinfo2 = NULL; uinfo2 = (struct user_info *)maat_plugin_table_get_ex_data(maat_inst, table_id, key1, strlen(key1)); ASSERT_TRUE(uinfo2 == NULL); //the data pointed by uinfo1 has in garbage queue, but not be freed yet EXPECT_EQ(0, strcmp(uinfo1->name, "liuqiangdong")); EXPECT_EQ(uinfo1->id, 2); sleep(WAIT_FOR_EFFECTIVE_S * 2); //exceed gc_timeout_s, the data pointed by uinfo1 has been freed } TEST_F(MaatCmd, UpdateIPPlugin) { const char *table_name = "TEST_IP_PLUGIN_WITH_ADDR_FORMAT"; const int TEST_CMD_LINE_NUM = 4; struct maat *maat_inst = MaatCmd::_shared_maat_inst; int *ex_data_counter = MaatCmd::_ex_data_counter; const char *table_line_add[TEST_CMD_LINE_NUM] = { "101\t4\t192.168.30.98/31\tSomething-like-json\t1", "102\t4\t192.168.30.90-192.168.30.128\tBigger-range-should-in-the-back\t1", "103\t6\t2001:db8:1234::-2001:db8:1235::\tBigger-range-should-in-the-back\t1", "104\t6\t2001:db8:1234::1-2001:db8:1234::5210\tSomething-like-json\t1"}; const char *table_line_del[TEST_CMD_LINE_NUM] = { "101\t4\t192.168.30.98/31\tSomething-like-json\t0", "102\t4\t192.168.30.90-192.168.30.128\tBigger-range-should-in-the-back\t0", "103\t6\t2001:db8:1234::-2001:db8:1235::\tBigger-range-should-in-the-back\t0", "104\t6\t2001:db8:1234::1-2001:db8:1234::5210\tSomething-like-json\t0"}; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int i = 0, ret = 0; struct maat_cmd_line line_rule; long long rule_id[TEST_CMD_LINE_NUM] = {0}; //add lines for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); rule_id[i] = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_add[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); *ex_data_counter = 0; ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, ip_plugin_ex_new_cb, ip_plugin_ex_free_cb, ip_plugin_ex_dup_cb, 0, ex_data_counter); ASSERT_TRUE(ret >= 0); EXPECT_EQ(*ex_data_counter, TEST_CMD_LINE_NUM); struct ip_addr ipv4, ipv6; struct ip_plugin_ud *results[ARRAY_SIZE]; ipv4.ip_type = IPV4; inet_pton(AF_INET, "192.168.30.99", &(ipv4.ipv4)); memset(results, 0, sizeof(results)); ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv4, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 2); EXPECT_EQ(results[0]->rule_id, 101); EXPECT_EQ(results[1]->rule_id, 102); ipv6.ip_type = 6; inet_pton(AF_INET6, "2001:db8:1234::5210", &(ipv6.ipv6)); memset(results, 0, sizeof(results)); ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv6, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 2); EXPECT_EQ(results[0]->rule_id, 104); EXPECT_EQ(results[1]->rule_id, 103); //del lines for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_del[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); //gc_timeout_s == 3 which configured in table_info ret = maat_ip_plugin_table_get_ex_data(maat_inst, table_id, &ipv4, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 0); //the data pointed by results[idx] has in garbage queue, but not be freed yet EXPECT_EQ(results[0]->rule_id, 104); EXPECT_EQ(results[1]->rule_id, 103); sleep(WAIT_FOR_EFFECTIVE_S * 2); //exceed gc_timeout_s, the data pointed by results[idx] has been freed } TEST_F(MaatCmd, UpdateFQDNPlugin) { const char *table_name = "TEST_FQDN_PLUGIN_WITH_EXDATA"; const int TEST_CMD_LINE_NUM = 5; struct maat *maat_inst = MaatCmd::_shared_maat_inst; int *ex_data_counter = MaatCmd::_ex_data_counter; const char *table_line_add[TEST_CMD_LINE_NUM]={ "201\twww.example1.com\tcatid=1\t1", "202\t*.example1.com\tcatid=1\t1", "203\tnews.example1.com\tcatid=2\t1", "204\tr3---sn-i3belne6.example2.com\tcatid=3\t1", "205\tr3---sn-i3belne6.example2.com\tcatid=3\t1"}; const char *table_line_del[TEST_CMD_LINE_NUM]={ "201\twww.example1.com\tcatid=1\t0", "202\t*.example1.com\tcatid=1\t0", "203\tnews.example1.com\tcatid=2\t0", "204\tr3---sn-i3belne6.example2.com\tcatid=3\t0", "205\tr3---sn-i3belne6.example2.com\tcatid=3\t0"}; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); int i = 0, ret = 0; long long rule_id[TEST_CMD_LINE_NUM] = {0}; struct maat_cmd_line line_rule; //add lines for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); rule_id[i] = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_add[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); *ex_data_counter = 0; ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, fqdn_plugin_ex_new_cb, fqdn_plugin_ex_free_cb, fqdn_plugin_ex_dup_cb, 0, ex_data_counter); ASSERT_TRUE(ret >= 0); EXPECT_EQ(*ex_data_counter, 5); struct fqdn_plugin_ud *results[ARRAY_SIZE]; memset(results, 0, sizeof(results)); ret = maat_fqdn_plugin_table_get_ex_data(maat_inst, table_id, "r3---sn-i3belne6.example2.com", (void**)results, ARRAY_SIZE); ASSERT_EQ(ret, 2); EXPECT_EQ(results[0]->catid, 3); //del lines for (i = 3; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_del[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_fqdn_plugin_table_get_ex_data(maat_inst, table_id, "r3---sn-i3belne6.example2.com", (void**)results, ARRAY_SIZE); ASSERT_EQ(ret, 0); EXPECT_EQ(results[0]->catid, 3); sleep(WAIT_FOR_EFFECTIVE_S * 2); //exceed gc_timeout_s, the data pointed by results[idx] has been freed } TEST_F(MaatCmd, UpdateBoolPlugin) { const char *table_name = "TEST_BOOL_PLUGIN_WITH_EXDATA"; const int TEST_CMD_LINE_NUM = 6; struct maat *maat_inst = MaatCmd::_shared_maat_inst; int *ex_data_counter = MaatCmd::_ex_data_counter; const char *table_line_add[TEST_CMD_LINE_NUM] = { "301\t1&2&1000\ttunnel1\t1", "302\t101&102\ttunnel2\t1", "303\t102\ttunnel3\t1", "304\t101\ttunnel4\t1", "305\t0&1&2&3&4&5&6&7\ttunnel5\t1", "306\t101&101\tinvalid\t1"}; const char *table_line_del[TEST_CMD_LINE_NUM] = { "301\t1&2&1000\ttunnel1\t0", "302\t101&102\ttunnel2\t0", "303\t102\ttunnel3\t0", "304\t101\ttunnel4\t0", "305\t0&1&2&3&4&5&6&7\ttunnel5\t0", "306\t101&101\tinvalid\t0"}; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long rule_id[TEST_CMD_LINE_NUM] = {0}; struct maat_cmd_line line_rule; int i = 0, ret = 0; for (i = 0; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); rule_id[i] = maat_cmd_incrby(maat_inst, "TEST_PLUG_SEQ", 1); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_add[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); *ex_data_counter = 0; ret = maat_plugin_table_ex_schema_register(maat_inst, table_name, bool_plugin_ex_new_cb, bool_plugin_ex_free_cb, bool_plugin_ex_dup_cb, 0, ex_data_counter); ASSERT_TRUE(ret>=0); EXPECT_EQ(*ex_data_counter, 6); unsigned long long items[] = {101, 102, 1000}; struct bool_plugin_ud *results[ARRAY_SIZE]; memset(results, 0, sizeof(results)); ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items, 3, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 4); EXPECT_EQ(results[0]->name_len, 8); for (i = 3; i < TEST_CMD_LINE_NUM; i++) { memset(&line_rule, 0, sizeof(line_rule)); line_rule.rule_id = rule_id[i]; line_rule.table_name = table_name; line_rule.table_line = table_line_del[i]; line_rule.expire_after = 0; ret = maat_cmd_set_line(maat_inst, &line_rule); EXPECT_GT(ret, 0); } sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_bool_plugin_table_get_ex_data(maat_inst, table_id, items, 3, (void **)results, ARRAY_SIZE); EXPECT_EQ(ret, 2); EXPECT_EQ(results[0]->name_len, 8); sleep(WAIT_FOR_EFFECTIVE_S * 2); //exceed gc_timeout_s, the data pointed by results[idx] has been freed } #define COMPILE_ID_NUMS 1000 TEST_F(MaatCmd, GroupInMassCompiles) { const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* table_url = "HTTP_URL"; const char* table_appid = "APP_ID"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); //item_url1 -> group1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); int ret = expr_table_set_line(maat_inst, table_url, MAAT_OP_ADD, item1_id, group1_id, "baidu.com&tsg", NULL, 1, 0, 0, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); //item_url2 -> group2 long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_url, MAAT_OP_ADD, item2_id, group2_id, "baidu.com&zhengzhou", NULL, 1, 0, 0, 0);/* EXPR_TYPE_AND MATCH_METHOD_SUB */ EXPECT_EQ(ret, 1); //item_appid -> group3 long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = interval_table_set_line(maat_inst, table_appid, MAAT_OP_ADD, item3_id, group3_id, "100", NULL, 0); EXPECT_EQ(ret, 1); /* item_url1 -> group1 -> compile[0 ~ COMPILE_ID_NUMS] / item_appid -> group3_/ */ int i = 0; long long compile_id[COMPILE_ID_NUMS] = {0}; for (i = 0; i < COMPILE_ID_NUMS; i++) { compile_id[i] = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile_id[i], "mass_compile", 2, 0); EXPECT_EQ(ret, 1); } for (i = 0; i < COMPILE_ID_NUMS; i++) { ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile_id[i], 0, table_url, 0, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group3_id, compile_id[i], 0, table_appid, 2, 0); EXPECT_EQ(ret, 1); } /* item_url2 -> group2 -> target_compile / item_appid -> group3_/ */ long long target_compile_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, target_compile_id, "null", 2, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, target_compile_id, 0, table_url, 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group3_id, target_compile_id, 0, table_appid, 2, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* http_url1 = "https://www.baidu.com/s?wd=tsg"; const char* http_url2 = "https://www.baidu.com/s?wd=zhengzhou&rsv_spt=1" "&rsv_iqid=0x8b4cae8100000560&issp=1&f=8&rsv_bp=1"; int url_table_id = maat_get_table_id(maat_inst, table_url); ASSERT_GT(url_table_id, 0); int appid_table_id = maat_get_table_id(maat_inst, table_appid); ASSERT_GT(appid_table_id, 0); long long results[4] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, url_table_id, http_url2, strlen(http_url2), results, 4, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_integer(maat_inst, appid_table_id, 100, results, 4, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], target_compile_id); ret = maat_scan_not_logic(maat_inst, appid_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); ret = maat_scan_string(maat_inst, url_table_id, http_url1, strlen(http_url1), results, 4, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, url_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_integer(maat_inst, appid_table_id, 100, results, 4, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 4); ret = maat_scan_not_logic(maat_inst, appid_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, HitGroup) { const char *compile_table_name = "COMPILE_DEFAULT"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *g2g_table_name = "GROUP2GROUP"; const char *http_sig_table_name = "HTTP_SIGNATURE"; const char *ip_table_name = "IP_CONFIG"; const char *keywords_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); /* compile1 */ long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, "HTTP_REQUEST_HEADER", 1, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item1_id, group1_id, "hit group item first", "URL", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group21_/ */ long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, "HTTP_RESPONSE_HEADER", 2, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group2 -> group21 _/ */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group21_id, group2_id, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item2_id, group2_id, "hit group item second", "Cookie", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> group11 \ \ -> compile1 / item2 -> group2 -> group21 _/ */ long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group11_id, group1_id, 0); EXPECT_EQ(ret, 1); //item3 -> group3, group3 is not referenced by any compile. long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item3_id, group3_id, "220.181.38.150-220.181.38.151", 0); EXPECT_EQ(ret, 1); char temp[1024]={0}; //item4 -> group4, group4 is not referenced by any compile. long long item4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item4_id, group4_id, str_escape(temp, sizeof(temp), "hit group item forth"), NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> group11 / \ item5 -> / \ -> compile1 / item2 -> group2 -> group21 _/ */ //item5 -> group1 which means group1 has multi items long long item5_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item5_id, group1_id, str_escape(temp, sizeof(temp), "hit group item fifth"), NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* http_url = "en.wikipedia.org hit group item first"; const char* http_resp_hdr_cookie = "laptop=thinkpad X1 extrem;hit group item second" "main[XWJOKE]=hoho; Hm_lvt_bbac0322e6ee13093f98d5c4b5a10912=1578874808;"; int http_req_table_id = maat_get_table_id(maat_inst, "HTTP_REQUEST_HEADER"); ASSERT_GT(http_req_table_id, 0); ret = maat_state_set_scan_district(state, http_req_table_id, "URL", strlen("URL")); EXPECT_EQ(ret, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, http_req_table_id, http_url, strlen(http_url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); struct maat_hit_group hit_groups[128]; memset(hit_groups, 0, sizeof(hit_groups)); size_t n_hit_group = maat_state_get_direct_hit_group_cnt(state); maat_state_get_direct_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 1); EXPECT_EQ(hit_groups[0].item_id, item1_id); EXPECT_EQ(hit_groups[0].group_id, group1_id); EXPECT_EQ(hit_groups[0].vtable_id, http_req_table_id); memset(hit_groups, 0, sizeof(hit_groups)); n_hit_group = maat_state_get_indirect_hit_group_cnt(state); maat_state_get_indirect_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 1); EXPECT_EQ(hit_groups[0].item_id, 0); EXPECT_EQ(hit_groups[0].group_id, group11_id); EXPECT_EQ(hit_groups[0].vtable_id, http_req_table_id); size_t n_last_hit_group = maat_state_get_last_hit_group_cnt(state); struct maat_hit_group last_hit_groups[128] = {0}; maat_state_get_last_hit_groups(state, last_hit_groups, 128); EXPECT_EQ(n_last_hit_group, 2); EXPECT_EQ(last_hit_groups[0].item_id, item1_id); EXPECT_EQ(last_hit_groups[0].group_id, group1_id); EXPECT_EQ(last_hit_groups[0].vtable_id, http_req_table_id); EXPECT_EQ(last_hit_groups[1].item_id, 0); EXPECT_EQ(last_hit_groups[1].group_id, group11_id); EXPECT_EQ(last_hit_groups[1].vtable_id, http_req_table_id); int http_res_table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(http_res_table_id, 0); const char *district_str1 = "Cookie"; ret = maat_state_set_scan_district(state, http_res_table_id, district_str1, strlen(district_str1)); EXPECT_EQ(ret, 0); ret = maat_scan_string(maat_inst, http_res_table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); memset(hit_groups, 0, sizeof(hit_groups)); n_hit_group = maat_state_get_direct_hit_group_cnt(state); maat_state_get_direct_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 1); EXPECT_EQ(hit_groups[0].item_id, item2_id); EXPECT_EQ(hit_groups[0].group_id, group2_id); EXPECT_EQ(hit_groups[0].vtable_id, http_res_table_id); memset(hit_groups, 0, sizeof(hit_groups)); n_hit_group = maat_state_get_indirect_hit_group_cnt(state); maat_state_get_indirect_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 1); EXPECT_EQ(hit_groups[0].item_id, 0); EXPECT_EQ(hit_groups[0].group_id, group21_id); EXPECT_EQ(hit_groups[0].vtable_id, http_res_table_id); n_last_hit_group = maat_state_get_last_hit_group_cnt(state); maat_state_get_last_hit_groups(state, last_hit_groups, 128); EXPECT_EQ(n_last_hit_group, 2); EXPECT_EQ(last_hit_groups[0].item_id, item2_id); EXPECT_EQ(last_hit_groups[0].group_id, group2_id); EXPECT_EQ(last_hit_groups[0].vtable_id, http_res_table_id); EXPECT_EQ(last_hit_groups[1].item_id, 0); EXPECT_EQ(last_hit_groups[1].group_id, group21_id); EXPECT_EQ(last_hit_groups[1].vtable_id, http_res_table_id); const char* keywords1="In graph theory, hit group item forth"; const char *keywords2="To test one group hit group item fifth"; int keywords_table_id = maat_get_table_id(maat_inst, keywords_table_name); ASSERT_GT(keywords_table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_id, state); ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.150", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); memset(hit_groups, 0, sizeof(hit_groups)); n_hit_group = maat_state_get_direct_hit_group_cnt(state); maat_state_get_direct_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 2); EXPECT_EQ(hit_groups[0].item_id, item4_id); EXPECT_EQ(hit_groups[0].group_id, group4_id); EXPECT_EQ(hit_groups[0].vtable_id, keywords_table_id); //physical table(keywords_table) vtable_id is 0 EXPECT_EQ(hit_groups[1].item_id, item3_id); EXPECT_EQ(hit_groups[1].group_id, group3_id); EXPECT_EQ(hit_groups[1].vtable_id, ip_table_id); ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); memset(hit_groups, 0, sizeof(hit_groups)); n_hit_group = maat_state_get_direct_hit_group_cnt(state); maat_state_get_direct_hit_groups(state, hit_groups, n_hit_group); EXPECT_EQ(n_hit_group, 2); EXPECT_EQ(hit_groups[0].item_id, item5_id); EXPECT_EQ(hit_groups[0].group_id, group1_id); EXPECT_EQ(hit_groups[0].vtable_id, keywords_table_id); //physical table(keywords_table) vtable_id is 0 EXPECT_EQ(hit_groups[1].item_id, item4_id); EXPECT_EQ(hit_groups[1].group_id, group4_id); EXPECT_EQ(hit_groups[1].vtable_id, keywords_table_id); //physical table(keywords_table) vtable_id is 0 n_last_hit_group = maat_state_get_last_hit_group_cnt(state); maat_state_get_last_hit_groups(state, last_hit_groups, 128); EXPECT_EQ(n_last_hit_group, 3); EXPECT_EQ(last_hit_groups[0].item_id, item5_id); EXPECT_EQ(last_hit_groups[0].group_id, group1_id); EXPECT_EQ(last_hit_groups[0].vtable_id, keywords_table_id); EXPECT_EQ(last_hit_groups[1].item_id, item4_id); EXPECT_EQ(last_hit_groups[1].group_id, group4_id); EXPECT_EQ(last_hit_groups[1].vtable_id, keywords_table_id); EXPECT_EQ(last_hit_groups[2].item_id, 0); EXPECT_EQ(last_hit_groups[2].group_id, group11_id); EXPECT_EQ(last_hit_groups[2].vtable_id, keywords_table_id); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, HitPathBasic) { const char *g2g_table_name = "GROUP2GROUP"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *http_sig_table_name = "HTTP_SIGNATURE"; const char *ip_table_name = "IP_CONFIG"; const char *keywords_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); /* compile1 */ long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, "HTTP_REQUEST_HEADER", 1, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item1_id, group1_id, "graph_theory", "URL", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group21_/ */ long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, "HTTP_RESPONSE_HEADER", 2, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group2 -> group21 _/ */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group21_id, group2_id, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item2_id, group2_id, "time=2020-02-11", "Cookie", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> group11 \ \ -> compile1 / item2 -> group2 -> group21 _/ */ long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group11_id, group1_id, 0); EXPECT_EQ(ret, 1); //item3 -> group3, group3 is not referenced by any compile. long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item3_id, group3_id, "220.181.38.148-220.181.38.149", 0); EXPECT_EQ(ret, 1); char temp[1024]={0}; //item4 -> group4, group4 is not referenced by any compile. long long item4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item4_id, group4_id, str_escape(temp, sizeof(temp), "a finite or infinite"), NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* http_url = "en.wikipedia.org/wiki/Path_(graph_theory)"; const char* http_resp_hdr_cookie = "laptop=thinkpad X1 extrem;time=2020-02-11T15:34:00;" "main[XWJOKE]=hoho; Hm_lvt_bbac0322e6ee13093f98d5c4b5a10912=1578874808;"; int http_req_table_id = maat_get_table_id(maat_inst, "HTTP_REQUEST_HEADER"); ASSERT_GT(http_req_table_id, 0); ret = maat_state_set_scan_district(state, http_req_table_id, "URL", strlen("URL")); EXPECT_EQ(ret, 0); int Nth_scan = 0; Nth_scan++; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, http_req_table_id, http_url, strlen(http_url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, http_req_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 2); int path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); int http_res_table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(http_res_table_id, 0); ret = maat_state_set_scan_district(state, http_res_table_id, "Cookie", strlen("Cookie")); EXPECT_EQ(ret, 0); Nth_scan++; ret = maat_scan_string(maat_inst, http_res_table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, http_res_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 4); path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; ASSERT_EQ(path_idx, 1); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 2); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 3); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); const char* keywords1="In graph theory, a path in a graph is a finite or infinite \ sequence of edges which joins a sequence of vertices which, by most definitions,\ are all distinct (and since the vertices are distinct, so are the edges). "; const char* keywords2="A directed path in a directed graph is a finite or infinite\ sequence of edges which joins a sequence of distinct vertices, but with the added restriction\ that the edges be all directed in the same direction."; int keywords_table_id = maat_get_table_id(maat_inst, keywords_table_name); ASSERT_GT(keywords_table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_id, state); Nth_scan++; ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, keywords_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 5); path_idx++; ASSERT_EQ(path_idx, 4); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item4_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); Nth_scan++; uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.148", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 6); path_idx++; ASSERT_EQ(path_idx, 5); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item3_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, ip_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); Nth_scan++; ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, keywords_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 7); path_idx++; ASSERT_EQ(path_idx, 6); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item4_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].compile_id, -1); maat_stream_free(stream); maat_state_free(state); state = NULL; } /* same group in multi compile */ /* item1 -> group1 -> compile1 / / item2 -> group2 -> group21 \ \ item3 -> group3 -> compile2 \ \--> compile3 / item4 -> group4 -/ */ TEST_F(MaatCmd, HitPathAdvanced) { const char *g2g_table_name = "GROUP2GROUP"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *ip_table_name = "IP_CONFIG"; const char *keywords_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); /* compile1 */ long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, "KEYWORDS_TABLE", 1, 0); //clause_index:1 EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item1_id, group1_id, "computer_theory", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group21_/ */ long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, "KEYWORDS_TABLE", 2, 0); //clause_index:2 EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / group2 -> group21 _/ */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group21_id, group2_id, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item2_id, group2_id, "social_theory", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); //compile2 long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "null", 2, 0); EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ \ \ compile2 */ ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile2_id, 0, "KEYWORDS_TABLE", 3, 0); //clause_index:3 EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ \ \ item3 -> group3 -> compile2 */ long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item3_id, group3_id, "220.181.38.168-220.181.38.169", 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group3_id, compile2_id, 0, "IP_CONFIG", 4, 0); //clause_index:4 EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 -> group21 _/ \ \ item3 -> group3 -> compile2 \ \ --> compile3 */ long long compile3_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile3_id, "null", 2, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group3_id, compile3_id, 0, "IP_CONFIG", 5, 0); //clause_index:5 EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / / item2 -> group2 -> group21 \ \ item3 -> group3 -> compile2 \ \ compile3 / / item4 -> group4 */ char temp[1024]={0}; long long item4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item4_id, group4_id, str_escape(temp, sizeof(temp), "basic and advanced"), NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group4_id, compile3_id, 0, "KEYWORDS_TABLE", 6, 0); //clause_index:6 EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* http_url_computer = "en.wikipedia.org/wiki/Path_(computer_theory)"; const char* http_url_social = "en.wikipedia.org/wiki/Path_(social_theory)"; int keywords_table_id = maat_get_table_id(maat_inst, "KEYWORDS_TABLE"); ASSERT_GT(keywords_table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, keywords_table_id, http_url_computer, strlen(http_url_computer), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 1); int path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, -1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); ret = maat_scan_string(maat_inst, keywords_table_id, http_url_social, strlen(http_url_social), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 3); path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 1); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 1); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 2); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 2); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, -1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.168", &ip_addr); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile2_id); memset(hit_path, 0, sizeof(hit_path)); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 5); path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 1); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 1); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 3); EXPECT_EQ(hit_path[path_idx].compile_id, compile2_id); path_idx++; ASSERT_EQ(path_idx, 2); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, -1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; ASSERT_EQ(path_idx, 3); EXPECT_EQ(hit_path[path_idx].Nth_scan, 3); EXPECT_EQ(hit_path[path_idx].item_id, item3_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].vtable_id, ip_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 4); EXPECT_EQ(hit_path[path_idx].compile_id, compile2_id); path_idx++; ASSERT_EQ(path_idx, 4); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 2); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); const char *keywords1 = "In theory, basic and advanced is common"; ret = maat_scan_string(maat_inst, keywords_table_id, keywords1, strlen(keywords1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile3_id); memset(hit_path, 0, sizeof(hit_path)); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 7); path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item1_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 1); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 1); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 3); EXPECT_EQ(hit_path[path_idx].compile_id, compile2_id); path_idx++; ASSERT_EQ(path_idx, 2); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, -1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; ASSERT_EQ(path_idx, 3); EXPECT_EQ(hit_path[path_idx].Nth_scan, 3); EXPECT_EQ(hit_path[path_idx].item_id, item3_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].vtable_id, ip_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 5); EXPECT_EQ(hit_path[path_idx].compile_id, compile3_id); path_idx++; ASSERT_EQ(path_idx, 4); EXPECT_EQ(hit_path[path_idx].Nth_scan, 4); EXPECT_EQ(hit_path[path_idx].item_id, item4_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 6); EXPECT_EQ(hit_path[path_idx].compile_id, compile3_id); path_idx++; ASSERT_EQ(path_idx, 5); EXPECT_EQ(hit_path[path_idx].Nth_scan, 3); EXPECT_EQ(hit_path[path_idx].item_id, item3_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].vtable_id, ip_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 4); EXPECT_EQ(hit_path[path_idx].compile_id, compile2_id); path_idx++; ASSERT_EQ(path_idx, 6); EXPECT_EQ(hit_path[path_idx].Nth_scan, 2); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].clause_index, 2); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, HitPathHasNotGroup) { const char *g2g_table_name = "GROUP2GROUP"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *http_sig_table_name = "HTTP_SIGNATURE"; const char *ip_table_name = "IP_CONFIG"; const char *keywords_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); /* compile1 */ long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); // !group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 1, "HTTP_REQUEST_HEADER", 1, 0); EXPECT_EQ(ret, 1); // !(item1 -> group1) -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item1_id, group1_id, "math_theory", "URL", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* !(item1 -> group1) -> compile1 / group21_/ */ long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, "HTTP_RESPONSE_HEADER", 2, 0); EXPECT_EQ(ret, 1); /* !(item1 -> group1) -> compile1 / group2 -> group21 _/ */ long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group21_id, group2_id, 0); EXPECT_EQ(ret, 1); /* !(item1 -> group1) -> compile1 / item2 -> group2 -> group21 _/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item2_id, group2_id, "time=2020-02-12", "Cookie", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> group11 !(item1 -> group1) -> compile1 / item2 -> group2 -> group21 _/ */ long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group11_id, group1_id, 0); EXPECT_EQ(ret, 1); //item3 -> group3, group3 is not referenced by any compile. long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item3_id, group3_id, "220.181.38.158-220.181.38.159", 0); EXPECT_EQ(ret, 1); char temp[1024]={0}; //item4 -> group4, group4 is not referenced by any compile. long long item4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item4_id, group4_id, str_escape(temp, sizeof(temp), "a finite and infinite"), NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* http_url = "en.wikipedia.org/wiki/Path_(chemistry_theory)"; const char* http_resp_hdr_cookie = "laptop=thinkpad X1 extrem;time=2020-02-12T15:34:00;" "main[XWJOKE]=hoho; Hm_lvt_bbac0322e6ee13093f98d5c4b5a10912=1578874808;"; int http_req_table_id = maat_get_table_id(maat_inst, "HTTP_REQUEST_HEADER"); ASSERT_GT(http_req_table_id, 0); ret = maat_state_set_scan_district(state, http_req_table_id, "URL", strlen("URL")); EXPECT_EQ(ret, 0); int Nth_scan = 0; Nth_scan++; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; ret = maat_scan_string(maat_inst, http_req_table_id, http_url, strlen(http_url), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, http_req_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); size_t scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 1); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 2); int path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, -1); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, -1); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); int http_res_table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(http_res_table_id, 0); ret = maat_state_set_scan_district(state, http_res_table_id, "Cookie", strlen("Cookie")); EXPECT_EQ(ret, 0); Nth_scan++; ret = maat_scan_string(maat_inst, http_res_table_id, http_resp_hdr_cookie, strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, http_res_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 2); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 4); path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); EXPECT_EQ(hit_path[path_idx].item_id, -1); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; ASSERT_EQ(path_idx, 1); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); EXPECT_EQ(hit_path[path_idx].item_id, -1); EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 2); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); path_idx++; ASSERT_EQ(path_idx, 3); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item2_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); EXPECT_EQ(hit_path[path_idx].compile_id, -1); const char *keywords1 = "In math theory, a finite and infinite come up all the time."; const char *keywords2= "a finite and infinite come up again."; int keywords_table_id = maat_get_table_id(maat_inst, keywords_table_name); ASSERT_GT(keywords_table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_id, state); Nth_scan++; ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, keywords_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 3); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 5); path_idx++; ASSERT_EQ(path_idx, 4); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item4_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); EXPECT_EQ(hit_path[path_idx].compile_id, -1); int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(ip_table_id, 0); Nth_scan++; uint32_t ip_addr; inet_pton(AF_INET, "220.181.38.158", &ip_addr); ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, ip_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 4); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 6); path_idx++; ASSERT_EQ(path_idx, 5); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item3_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, ip_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); EXPECT_EQ(hit_path[path_idx].compile_id, -1); Nth_scan++; ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, keywords_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); scan_times = maat_state_get_scan_count(state); EXPECT_EQ(scan_times, 5); n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 7); path_idx++; ASSERT_EQ(path_idx, 6); EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); EXPECT_EQ(hit_path[path_idx].item_id, item4_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].vtable_id, keywords_table_id); EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); EXPECT_EQ(hit_path[path_idx].compile_id, -1); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, SameSuperGroupRefByMultiCompile) { char temp[1024]={0}; int thread_id = 0; const char *g2g_table_name = "GROUP2GROUP"; const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *http_sig_table_name = "HTTP_SIGNATURE"; struct maat *maat_inst = MaatCmd::_shared_maat_inst; /* item5 -> group5 -> group52 -> compile2 \ \ -> compile3 */ long long item5_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group5_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); int ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item5_id, group5_id, str_escape(temp, sizeof(temp), "same supergroup referenced by multi compile"), "KEY", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); long long group52_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group52_id, group5_id, 0); EXPECT_EQ(ret, 1); long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "HTTP_RESPONSE_HEADER", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group52_id, compile2_id, 0, "HTTP_RESPONSE_HEADER", 0, 0); EXPECT_EQ(ret, 1); long long compile3_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile3_id, "HTTP_RESPONSE_HEADER", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group52_id, compile3_id, 0, "HTTP_RESPONSE_HEADER", 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); int http_res_table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); ASSERT_GT(http_res_table_id, 0); struct maat_state *state = maat_state_new(maat_inst, thread_id); ret = maat_state_set_scan_district(state, http_res_table_id, "KEY", strlen("KEY")); EXPECT_EQ(ret, 0); const char *http_res_key_str = "same supergroup referenced by multi compile"; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; struct maat_hit_path hit_path[128]; ret = maat_scan_string(maat_inst, http_res_table_id, http_res_key_str, strlen(http_res_key_str), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 2); EXPECT_EQ(results[0], compile3_id); EXPECT_EQ(results[1], compile2_id); ret = maat_scan_not_logic(maat_inst, http_res_table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 3); int path_idx = 0; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item5_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group5_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group52_id); EXPECT_EQ(hit_path[path_idx].compile_id, compile3_id); path_idx++; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item5_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group5_id); EXPECT_EQ(hit_path[path_idx].top_group_id, -1); EXPECT_EQ(hit_path[path_idx].compile_id, -1); path_idx++; EXPECT_EQ(hit_path[path_idx].Nth_scan, 1); EXPECT_EQ(hit_path[path_idx].item_id, item5_id); EXPECT_EQ(hit_path[path_idx].sub_group_id, group5_id); EXPECT_EQ(hit_path[path_idx].top_group_id, group52_id); EXPECT_EQ(hit_path[path_idx].compile_id, compile2_id); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, SameScanStatusWhenClauseUpdate_TSG6419) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* ip_table_name = "IP_PLUS_CONFIG"; const char *app_id_table_name = "APP_ID"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); /* item11 -> group11 -> clause1 -> compile1 / item21 -> group21 -> clause2 _/ */ long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group11_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); long long item11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item11_id, group11_id, "192.168.2.1-192.168.2.4", 0); EXPECT_EQ(ret, 1); long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, app_id_table_name, 2, 0); EXPECT_EQ(ret, 1); long long item21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = interval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_ADD, item21_id, group21_id, "31", NULL, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; uint32_t ip_addr; inet_pton(AF_INET, "192.168.2.2", &ip_addr); int table_id = maat_get_table_id(maat_inst, ip_table_name); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); int scan_app_id = 32; table_id = maat_get_table_id(maat_inst, app_id_table_name); ret = maat_scan_integer(maat_inst, table_id, scan_app_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* item11 -> group11 -> clause1 -> compile1 / item21 -> group21 -> clause2 _/ item22 -> group22 -> clause3 _/ */ ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 3, 0); EXPECT_EQ(ret, 1); long long group22_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group22_id, compile1_id, 0, app_id_table_name, 3, 0); EXPECT_EQ(ret, 1); long long item22_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = interval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_ADD, item22_id, group22_id, "32", NULL, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); table_id = maat_get_table_id(maat_inst, app_id_table_name); ret = maat_scan_integer(maat_inst, table_id, 31, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_integer(maat_inst, table_id, scan_app_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, GroupEdit) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *app_id_table_name = "APP_ID"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); /* item11 -> group11 -> clause1 -> compile1 item21 -> group21 -> clause2 _/ */ long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group11_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); long long item11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item11_id, group11_id, "192.168.3.1-192.168.3.4", 0); EXPECT_EQ(ret, 1); long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, compile1_id, 0, app_id_table_name, 2, 0); EXPECT_EQ(ret, 1); long long item21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = interval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_ADD, item21_id, group21_id, "41", NULL, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); uint32_t ip_addr; inet_pton(AF_INET, "192.168.3.2", &ip_addr); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, app_id_table_name); ASSERT_GT(table_id, 0); int scan_app_id = 42; ret = maat_scan_integer(maat_inst, table_id, scan_app_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); /* item11 -> group11 -> clause1 -> compile1 item21 -> group21 -> clause2 _/ item22 -> / */ char scan_app_id_str[8] = {0}; snprintf(scan_app_id_str, sizeof(scan_app_id_str), "%d", scan_app_id); long long item22_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = interval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_ADD, item22_id, group21_id, scan_app_id_str, NULL, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); //TODO: EXPECT_EQ(ret,?) table_id = maat_get_table_id(maat_inst, app_id_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_integer(maat_inst, table_id, scan_app_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); struct maat_hit_path hit_path[128]; memset(hit_path, 0, sizeof(hit_path)); int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); EXPECT_EQ(n_read, 2); maat_state_reset(state); /* item11 -> group11 -> clause1 -> compile1 item21 -> group21 -> clause2 _/ */ ret = interval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_DEL, item22_id, group21_id, scan_app_id_str, NULL, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); memset(results, 0, sizeof(results)); table_id = maat_get_table_id(maat_inst, ip_table_name); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); table_id = maat_get_table_id(maat_inst, app_id_table_name); ret = maat_scan_integer(maat_inst, table_id, scan_app_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, CompileDelete_TSG6548) { const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* ip_table_name = "IP_PLUS_CONFIG"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //item11 -> group11 -> clause1 -> compile1 long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group11_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); long long item11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item11_id, group11_id, "192.168.73.163-192.168.73.180", 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); uint32_t ip_addr; inet_pton(AF_INET, "192.168.73.169", &ip_addr); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_DEL, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_DEL, group11_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); int hit_cnt = 0; int miss_cnt = 0; time_t update_time = time(NULL); time_t now = update_time; while (now - update_time < 3) { ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); if (ret == MAAT_SCAN_HIT) { hit_cnt++; EXPECT_EQ(results[0], compile1_id); } if (ret == MAAT_SCAN_HALF_HIT) { miss_cnt++; } now = time(NULL); } //scan hit for at most 1 second (rule updating latency), miss for at least 2 seconds. EXPECT_LE(hit_cnt, miss_cnt); maat_state_free(state); } TEST_F(MaatCmd, UpdateDeadLockDetection) { const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* table_http_url = "HTTP_URL"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, table_http_url, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_http_url, MAAT_OP_ADD, item1_id, group1_id, "part-1", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* scan_data1 = "scan string part-1."; const char* scan_data2 = "scan string part-2."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, table_http_url); ASSERT_GT(table_id, 0); ret = maat_scan_string(maat_inst, table_id, scan_data1, strlen(scan_data1), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group2 -> compile2 long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile2_id, 0, table_http_url, 0, 0); EXPECT_EQ(ret, 1); //item2 -> group2 -> compile2 long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, table_http_url, MAAT_OP_ADD, item2_id, group2_id, "part-2", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); //DON'T DO THIS!!! //Roll back version, trigger full udpate. //This operation generates some FATAL logs in test_maat_redis.log.yyyy-mm-dd. maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); //Wating for scanner garbage collect expiration. sleep(10); memset(results, 0, sizeof(results)); ret = maat_scan_string(maat_inst, table_id, scan_data2, strlen(scan_data2), results, ARRAY_SIZE, &n_hit_result, state); //After full update, clause ids are re-orgnized, therefore mid are not compatible to the new scanner (hierarchy). EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, StreamScanWhenExprTableIncUpdate) { const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* scan_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, scan_table_name, 0, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S); const char *scan_data = "Here is a stream-keywords-001-inc-update, this should hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, scan_table_name); ASSERT_GT(table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, table_id, state); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, scan_table_name, MAAT_OP_ADD, item1_id, group1_id, "stream-keywords-001-inc-update", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); /* maat_stream store expr_runtime version when maat_stream_new(). Add new expr_item has changed expr_runtime version which has been sensed by maat_stream_scan. */ ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); stream = maat_stream_new(maat_inst, table_id, state); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, StreamScanSegfaultWhenVersionRollBack_TSG6324) { const char* g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char* compile_table_name = "COMPILE_DEFAULT"; const char* scan_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, scan_table_name, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, scan_table_name, MAAT_OP_ADD, item1_id, group1_id, "stream-keywords-002", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a stream-keywords-002, this should hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int table_id = maat_get_table_id(maat_inst, scan_table_name); ASSERT_GT(table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, table_id, state); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //DON'T DO THIS!!! //Roll back version, trigger full update. //This operation generates FATAL logs in test_maat_redis.log.yyyy-mm-dd. //For example: Add group 22 vt_id 0 to clause 2 of compile 979 failed, group is already existed maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); //Wating for scanner garbage collect expiration. sleep(10); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //Scan was interupted after full update. ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, IPAndStreamScanWhenIncUpdate) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *expr_table_name = "KEYWORDS_TABLE"; const char *ip_table_name = "IP_PLUS_CONFIG"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, expr_table_name, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, expr_table_name, MAAT_OP_ADD, item1_id, group1_id, "stream-keywords-003", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 --/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item2_id, group2_id, "100.100.100.1", 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; char ip_str[32] = "100.100.100.1"; uint32_t ip_addr; ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //add compile2 for compile runtime inc update long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a stream-keywords-003, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, table_id, state); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* becase compile1_id has been returned, maat_scan_xx will not return duplicate compile_id again */ table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, IPAndStreamScanWhenFullUpdate) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *expr_table_name = "KEYWORDS_TABLE"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, expr_table_name, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, expr_table_name, MAAT_OP_ADD, item1_id, group1_id, "stream-keywords-004", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 --/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item2_id, group2_id, "100.100.100.2", 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; char ip_str[32] = "100.100.100.2"; uint32_t ip_addr; ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //DON'T DO THIS!!! //Roll back version, trigger full update. maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); //Wating for scanner garbage collect expiration. sleep(10); const char *scan_data = "Here is a stream-keywords-004, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(table_id, 0); struct maat_stream *stream = maat_stream_new(maat_inst, table_id, state); ret = maat_stream_scan(stream, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* maat_state keep the compile_rt version when maat_state_new(). After full updating, new compile_rt version is different from that of maat_state, so MAAT_SCAN_HIT will never happen. */ table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_stream_free(stream); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, IPAndStringScanWhenIncUpdate) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *expr_table_name = "HTTP_URL"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *keywords = "IP&stringinc"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 2, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, expr_table_name, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, expr_table_name, MAAT_OP_ADD, item1_id, group1_id, keywords, NULL, 1, 0, 0, 0); /*EXPR_TYPE_AND MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 --/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item2_id, group2_id, "100.100.100.1", 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; char ip_str[32] = "100.100.100.1"; uint32_t ip_addr; ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //add compile2 for compile runtime inc update long long compile2_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile2_id, "null", 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a IP and stringinc, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], compile1_id); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* becase compile1_id has been returned, maat_scan_xx will not return duplicate compile_id again */ table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatCmd, IPAndStringScanWhenFullupdate) { const char *g2c_table_name = "GROUP2COMPILE_DEFAULT"; const char *compile_table_name = "COMPILE_DEFAULT"; const char *ip_table_name = "IP_PLUS_CONFIG"; const char *expr_table_name = "HTTP_URL"; const char *keywords = "IP&string"; int thread_id = 0; struct maat *maat_inst = MaatCmd::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, "null", 1, 0); EXPECT_EQ(ret, 1); //group1 -> compile1 long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, compile1_id, 0, expr_table_name, 0, 0); EXPECT_EQ(ret, 1); //item1 -> group1 -> compile1 long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); ret = expr_table_set_line(maat_inst, expr_table_name, MAAT_OP_ADD, item1_id, group1_id, keywords, "null", 1, 0, 0, 0); /*EXPR_TYPE_AND MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); /* item1 -> group1 -> compile1 / item2 -> group2 --/ */ long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item2_id, group2_id, "100.100.100.3", 0); EXPECT_EQ(ret, 1); ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group2_id, compile1_id, 0, ip_table_name, 1, 0); EXPECT_EQ(ret, 1); sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; char ip_str[32] = "100.100.100.3"; uint32_t ip_addr; ret = inet_pton(AF_INET, ip_str, &ip_addr); EXPECT_EQ(ret, 1); int table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); //DON'T DO THIS!!! //Roll back version, trigger full update. maat_cmd_incrby(maat_inst, "MAAT_VERSION", -100); //Wating for scanner garbage collect expiration. sleep(10); const char *scan_data = "scan IP and string, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); /* maat_state keep the compile_rt version when maat_state_new(). After full updating, new compile_rt version is different from that of maat_state, so MAAT_SCAN_HIT will never happen. */ table_id = maat_get_table_id(maat_inst, ip_table_name); ASSERT_GT(table_id, 0); ret = maat_scan_ipv4(maat_inst, table_id, ip_addr, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } class MaatRollback : public testing::Test { protected: static void SetUpTestCase() { const char *accept_tags = "{\"tags\":[{\"tag\":\"location\",\"value\":\"北京/朝阳/华严北里/甲22号\"}," "{\"tag\":\"isp\",\"value\":\"移动\"},{\"tag\":\"location\",\"value\":\"Astana\"}]}"; char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; logger = log_handle_create("./maat_framework_gtest.log", 0); int ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); if (ret < 0) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] write config to redis failed.", __FUNCTION__, __LINE__); } struct maat_options *opts = maat_options_new(); maat_options_set_redis(opts, redis_ip, redis_port, redis_db); maat_options_set_stat_file(opts, "./stat.log"); maat_options_set_perf_on(opts); maat_options_set_logger(opts, "./maat_framework_gtest.log", LOG_LEVEL_INFO); maat_options_set_accept_tags(opts, accept_tags); _shared_maat_inst = maat_new(opts, g_table_info_path); maat_options_free(opts); if (NULL == _shared_maat_inst) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] create maat instance in MaatRollback failed.", __FUNCTION__, __LINE__); } } static void TearDownTestCase() { maat_free(_shared_maat_inst); log_handle_destroy(logger); } static struct log_handle *logger; static struct maat *_shared_maat_inst; }; struct maat *MaatRollback::_shared_maat_inst; struct log_handle *MaatRollback::logger; static int clear_config_in_redis(redisContext *c, struct log_handle *logger) { long long redis_version = 0; redisReply *reply = maat_wrap_redis_command(c, logger, "GET MAAT_VERSION"); if (reply != NULL) { if (reply->type == REDIS_REPLY_NIL || reply->type == REDIS_REPLY_ERROR) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] GET MAAT_VERSION failed, maybe Redis is busy", __FUNCTION__, __LINE__); freeReplyObject(reply); reply = NULL; return -1; } } else { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] GET MAAT_VERSION failed with NULL reply, error: %s", __FUNCTION__, __LINE__, c->errstr); return -1; } redis_version = maat_read_redis_integer(reply); if (redis_version < 0) { if (reply->type == REDIS_REPLY_ERROR) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] Redis Communication error: %s", __FUNCTION__, __LINE__, reply->str); } freeReplyObject(reply); reply = NULL; return -1; } freeReplyObject(reply); reply = NULL; reply = maat_wrap_redis_command(c, logger, "MULTI"); freeReplyObject(reply); reply = NULL; int append_cmd_cnt = 0; redisAppendCommand(c, "FLUSHDB"); append_cmd_cnt++; redisAppendCommand(c, "SET MAAT_VERSION %lld", redis_version); append_cmd_cnt++; redisAppendCommand(c, "SET MAAT_PRE_VER %lld", redis_version); append_cmd_cnt++; redisAppendCommand(c, "SET %s 1", mr_region_id_var); append_cmd_cnt++; redisAppendCommand(c, "SET %s 1", mr_group_id_var); append_cmd_cnt++; redisAppendCommand(c, "EXEC"); append_cmd_cnt++; int redis_transaction_success = 1; for (int i = 0; i < append_cmd_cnt; i++) { int ret = maat_wrap_redis_get_reply(c, &reply); if (ret == REDIS_OK) { if (reply->type == REDIS_REPLY_NIL) { redis_transaction_success = 0; } freeReplyObject(reply); reply = NULL; } } if (0 == redis_transaction_success) { return -1; } return 0; } static int rollback_redis_version(redisContext *c, struct log_handle *logger) { redisReply *reply = maat_wrap_redis_command(c, logger, "SET MAAT_VERSION 0"); if (NULL == reply) { log_fatal(logger, MODULE_FRAMEWORK_GTEST, "[%s:%d] set MAAT_VERSION failed, " "Redis Communication error: %s", __FUNCTION__, __LINE__, c->errstr); return -1; } freeReplyObject(reply); reply = NULL; return 0; } TEST_F(MaatRollback, FullConfigRollback) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = MaatRollback::_shared_maat_inst; struct log_handle *logger = MaatRollback::logger; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); sleep(5); char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; redisContext *c = maat_connect_redis(redis_ip, redis_port, redis_db, logger); EXPECT_TRUE(c != NULL); ret = clear_config_in_redis(c, logger); EXPECT_EQ(ret, 0); ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); EXPECT_EQ(ret, 0); ret = rollback_redis_version(c, logger); EXPECT_EQ(ret, 0); redisFree(c); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } TEST_F(MaatRollback, FullConfigRollbackWhenScanUnfinished) { const char *table_name = "HTTP_URL"; struct maat *maat_inst = MaatRollback::_shared_maat_inst; struct log_handle *logger = MaatRollback::logger; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; struct maat_state *state = maat_state_new(maat_inst, thread_id); const char *scan_data = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_reset(state); sleep(5); char redis_ip[64] = "127.0.0.1"; int redis_port = 6379; int redis_db = 0; redisContext *c = maat_connect_redis(redis_ip, redis_port, redis_db, logger); EXPECT_TRUE(c != NULL); ret = clear_config_in_redis(c, logger); EXPECT_EQ(ret, 0); ret = write_json_to_redis(g_json_filename, redis_ip, redis_port, redis_db, logger); EXPECT_EQ(ret, 0); ret = rollback_redis_version(c, logger); EXPECT_EQ(ret, 0); redisFree(c); sleep(WAIT_FOR_EFFECTIVE_S); ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 125); ret = maat_scan_not_logic(maat_inst, table_id, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_OK); maat_state_free(state); state = NULL; } int main(int argc, char ** argv) { int ret=0; ::testing::InitGoogleTest(&argc, argv); ret=RUN_ALL_TESTS(); return ret; }