#include #include "log/log.h" #include "adapter_hs.h" #include "maat_utils.h" #include "cJSON/cJSON.h" struct log_handle *g_logger = NULL; enum expr_match_mode match_method_to_match_mode(const char *method) { enum expr_match_mode mode = EXPR_MATCH_MODE_INVALID; if (strcmp(method, "sub") == 0) { mode = EXPR_MATCH_MODE_SUB; } else if (strcmp(method, "exactly") == 0) { mode = EXPR_MATCH_MODE_EXACTLY; } else if (strcmp(method, "prefix") == 0) { mode = EXPR_MATCH_MODE_PREFIX; } else if (strcmp(method, "suffix") == 0) { mode = EXPR_MATCH_MODE_SUFFIX; } else { assert(0); } return mode; } enum expr_case_sensitive case_sensitive_str_to_enum(const char *str) { enum expr_case_sensitive case_sensitive = EXPR_CASE_SENSITIVE; if (strcmp(str, "yes") == 0) { case_sensitive = EXPR_CASE_SENSITIVE; } else if (strcmp(str, "no") == 0) { case_sensitive = EXPR_CASE_INSENSITIVE; } else { assert(0); } return case_sensitive; } static int is_hexbin_str_to_int(const char *str) { int ret = 0; if (strcmp(str, "yes") == 0) { ret = 1; } return ret; } static int convertHextoint(char srctmp) { if (isdigit(srctmp)) { return srctmp - '0'; } else { char temp = toupper(srctmp); temp = temp - 'A' + 10; return temp; } } static size_t hex2bin(char *hex, int hex_len, char *binary, size_t size) { size_t resultlen = 0; int high,low; for (int i = 0; i < hex_len && size > resultlen; i += 2, resultlen++) { high = convertHextoint(hex[i]); low = convertHextoint(hex[i+1]); binary[resultlen] = high * 16 + low; } size = resultlen; binary[resultlen] = '\0'; return resultlen; } enum expr_pattern_type pattern_type_str_to_enum(const char *str) { enum expr_pattern_type pattern_type = EXPR_PATTERN_TYPE_STR; if (strcmp(str, "regex") == 0) { pattern_type = EXPR_PATTERN_TYPE_REG; } else if (strcmp(str, "literal") == 0) { pattern_type = EXPR_PATTERN_TYPE_STR; } else { assert(0); } return pattern_type; } static int parse_config_file(const char *filename, struct expr_rule exprs[], size_t *n_expr) { unsigned char *json_buff = NULL; size_t json_buff_size = 0; int ret = load_file_to_memory(filename, &json_buff, &json_buff_size); if (ret < 0) { printf("load file:%s to memory failed.\n", filename); return -1; } size_t rule_cnt = 0; cJSON *rules_obj = NULL; cJSON *root = cJSON_Parse((const char *)json_buff); if (NULL == root) { printf("Error before: %-200.200s\n", cJSON_GetErrorPtr()); ret = -1; goto next; } rules_obj = cJSON_GetObjectItem(root, "expr_rules"); if (NULL == rules_obj) { printf("Error before: %-200.200s\n", cJSON_GetErrorPtr()); ret = -1; goto next; } rule_cnt = cJSON_GetArraySize(rules_obj); for (size_t i = 0; i < rule_cnt; i++) { cJSON *expr_obj = cJSON_GetArrayItem(rules_obj, i); cJSON *tmp_item = cJSON_GetObjectItem(expr_obj, "expr_id"); if (tmp_item != NULL && tmp_item->type == cJSON_Number) { exprs[i].expr_id = tmp_item->valueint; } tmp_item = cJSON_GetObjectItem(expr_obj, "pattern_num"); if (tmp_item != NULL && tmp_item->type == cJSON_Number) { exprs[i].n_patterns = tmp_item->valueint; } tmp_item = cJSON_GetObjectItem(expr_obj, "patterns"); if (NULL == tmp_item || tmp_item->type != cJSON_Array) { printf("json has no patterns array.\n"); ret = -1; goto next; } size_t pattern_cnt = cJSON_GetArraySize(tmp_item); for (size_t j = 0; j < pattern_cnt; j++) { cJSON *pat_item = cJSON_GetArrayItem(tmp_item, j); cJSON *item = cJSON_GetObjectItem(pat_item, "pattern_type"); if (item != NULL && item->type == cJSON_String) { exprs[i].patterns[j].type = pattern_type_str_to_enum(item->valuestring); } item = cJSON_GetObjectItem(pat_item, "match_method"); if (item != NULL && item->type == cJSON_String) { exprs[i].patterns[j].match_mode = match_method_to_match_mode(item->valuestring); } item = cJSON_GetObjectItem(pat_item, "case_sensitive"); if (item != NULL && item->type == cJSON_String) { exprs[i].patterns[j].case_sensitive = case_sensitive_str_to_enum(item->valuestring); } int is_hexbin = 0; item = cJSON_GetObjectItem(pat_item, "is_hexbin"); if (item != NULL && item->type == cJSON_String) { is_hexbin = is_hexbin_str_to_int(item->valuestring); } item = cJSON_GetObjectItem(pat_item, "pattern"); if (item != NULL && item->type == cJSON_String) { exprs[i].patterns[j].pat = ALLOC(char, strlen(item->valuestring) + 1); if (is_hexbin == 1) { size_t pat_str_len = strlen(item->valuestring); char *pat_str = ALLOC(char, pat_str_len + 1); pat_str_len = hex2bin(item->valuestring, strlen(item->valuestring), pat_str, pat_str_len); memcpy(exprs[i].patterns[j].pat, pat_str, pat_str_len); free(pat_str); exprs[i].patterns[j].pat_len = pat_str_len; } else { memcpy(exprs[i].patterns[j].pat, item->valuestring, strlen(item->valuestring)); exprs[i].patterns[j].pat_len = strlen(item->valuestring); } } if (exprs[i].patterns->match_mode == EXPR_MATCH_MODE_SUB) { item = cJSON_GetObjectItem(pat_item, "offset"); if (item != NULL && item->type == cJSON_String) { int key_left_offset = -1; int key_right_offset = -1; sscanf(item->valuestring, "%d~%d", &key_left_offset, &key_right_offset); if (key_left_offset < -1 || key_right_offset < -1) { printf("Error: offset should not less than -1, " "left_offset:%d, right_offset:%d\n", key_left_offset, key_right_offset); } exprs[i].patterns[j].start_offset = key_left_offset; exprs[i].patterns[j].end_offset = key_right_offset; } else { exprs[i].patterns[j].start_offset = -1; exprs[i].patterns[j].end_offset = -1; } } if (exprs[i].patterns->match_mode == EXPR_MATCH_MODE_EXACTLY) { exprs[i].patterns[j].start_offset = 0; exprs[i].patterns[j].end_offset = exprs[i].patterns[j].pat_len - 1; } } exprs[i].n_patterns = pattern_cnt; } *n_expr = rule_cnt; next: cJSON_Delete(root); FREE(json_buff); return ret; } static void expr_array_free(struct expr_rule rules[], size_t n_rule) { for (size_t i = 0; i < n_rule; i++) { for (size_t j = 0; j < rules[i].n_patterns; j++) { if (rules[i].patterns[j].pat != NULL) { free(rules[i].patterns[j].pat); rules[i].patterns[j].pat = NULL; } } } } TEST(hs_expr_matcher_init, invalid_input_parameter) { struct expr_rule rules[64]; size_t n_rule = 0; struct expr_matcher *matcher = expr_matcher_new(NULL, 0, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher == NULL); matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher == NULL); n_rule = 1; rules[0].expr_id = 101; rules[0].n_patterns = 10; matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher == NULL); memset(rules, 0, sizeof(rules)); n_rule = 1; rules[0].expr_id = 101; rules[0].n_patterns = 1; matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher == NULL); } TEST(rs_expr_matcher_init, invalid_input_parameter) { struct expr_rule rules[64]; size_t n_rule = 0; struct expr_matcher *matcher = expr_matcher_new(NULL, 0, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher == NULL); matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher == NULL); n_rule = 1; rules[0].expr_id = 101; rules[0].n_patterns = 10; matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher == NULL); memset(rules, 0, sizeof(rules)); n_rule = 1; rules[0].expr_id = 101; rules[0].n_patterns = 1; matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher == NULL); } TEST(hs_expr_matcher_match, literal_sub_has_normal_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello aaa"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data2[64] = "Ahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 101); char scan_data3[64] = "Aahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 101); char scan_data4[64] = "Aaahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_sub_has_normal_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello aaa"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data2[64] = "Ahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 101); char scan_data3[64] = "Aahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 101); char scan_data4[64] = "Aaahello aaa"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_sub_has_left_unlimit_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello bbb"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data2[64] = "Ahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data3[64] = "Aahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data4[64] = "Aaahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_sub_has_left_unlimit_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello bbb"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data2[64] = "Ahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data3[64] = "Aahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 102); char scan_data4[64] = "Aaahello bbb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_sub_has_right_unlimit_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ccc"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data2[64] = "1234hello ccc"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data3[64] = "12345hello ccc"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); char scan_data4[64] = "12345hello cccAaBb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); char scan_data5[64] = "123456hello cccAaBb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data5, strlen(scan_data5), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_sub_has_right_unlimit_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ccc"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data2[64] = "1234hello ccc"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data3[64] = "12345hello ccc"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); char scan_data4[64] = "12345hello cccAaBb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); char scan_data5[64] = "123456hello cccAaBb"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data5, strlen(scan_data5), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 103); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_sub_with_no_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ddd"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data2[64] = "123hello ddd"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data3[64] = "123hello ddd456"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data4[64] = "helloddd"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_sub_with_no_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ddd"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data2[64] = "123hello ddd"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data3[64] = "123hello ddd456"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 104); char scan_data4[64] = "helloddd"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_exactly) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello eee"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 105); char scan_data2[64] = "Ahello eee"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); char scan_data3[64] = "hello eeeB"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_exactly) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello eee"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 105); char scan_data2[64] = "Ahello eee"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data3[64] = "hello eeeB"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_prefix) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello fff"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 106); char scan_data2[64] = "Ahello fff"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data3[64] = "Ahello fffBCD"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data4[64] = "hello fffBCD"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 106); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_prefix) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello fff"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 106); char scan_data2[64] = "Ahello fff"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data3[64] = "Ahello fffBCD"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data4[64] = "hello fffBCD"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 106); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_suffix) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ggg"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 107); char scan_data2[64] = "ABChello ggg"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 107); char scan_data3[64] = "ABChello gggDEF"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data4[64] = "hello gggDEF"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_suffix) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "hello ggg"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 107); char scan_data2[64] = "ABChello ggg"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 107); char scan_data3[64] = "ABChello gggDEF"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); char scan_data4[64] = "hello gggDEF"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_sub_with_hex) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "Content-Type: /html"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 108); char scan_data2[64] = " html"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_sub_with_hex) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char scan_data1[64] = "Content-Type: /html"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 108); char scan_data2[64] = " html"; memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 0); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, literal_with_chinese) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char data0[64] = "#中国 你好"; uuid_t result0[64] = {0}; size_t n_result0 = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, data0, strlen(data0), result0, 64, &n_result0, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result0, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result0[0].rule_id, 110); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, literal_with_chinese) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char data0[64] = "#中国 你好"; uuid_t result0[64] = {0}; size_t n_result0 = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, data0, strlen(data0), result0, 64, &n_result0, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result0, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result0[0].rule_id, 110); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, same_pattern_different_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char data[64] = "onetoday,anothertoday"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, data, strlen(data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 112); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, same_pattern_different_offset) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); char data[64] = "onetoday,anothertoday"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, data, strlen(data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 112); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher_match, long_scan_data) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char* scan_data = "A directed path in a directed graph is a finite or infinite\ sequence of edges which joins a sequence of distinct vertices, but with the added restriction\ that the edges be all directed in the same direction."; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 113); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_match, long_scan_data) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char* scan_data = "A directed path in a directed graph is a finite or infinite\ sequence of edges which joins a sequence of distinct vertices, but with the added restriction\ that the edges be all directed in the same direction."; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 113); expr_matcher_free(matcher); matcher = NULL; } TEST(expr_matcher_match, regex_expression_check) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./regex_expr.json", rules, &n_rule); EXPECT_EQ(ret, 0); for (size_t i = 0; i < n_rule; i++) { for (size_t j = 0; j < rules[i].n_patterns; j++) { expr_matcher_verify_regex_expression(rules[i].patterns[j].pat, g_logger); } } expr_array_free(rules, n_rule); } TEST(hs_expr_matcher_stream, basic) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char* scan_data1 = "A directed path in a directed graph is a finite"; const char *scan_data2 = " or infinite sequence of edges which joins a " "sequence of distinct vertices"; uuid_t result[64] = {0}; size_t n_hit_result = 0; size_t n_hit_pattern = 0; int thread_id = 0; struct expr_matcher_stream *stream = expr_matcher_stream_open(matcher, thread_id); EXPECT_TRUE(stream != NULL); ret = expr_matcher_stream_match(stream, scan_data1, strlen(scan_data1), result, 64, &n_hit_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_hit_result, 0); EXPECT_EQ(n_hit_pattern, 2); ret = expr_matcher_stream_match(stream, scan_data2, strlen(scan_data2), result, 64, &n_hit_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 113); expr_matcher_stream_close(stream); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher_stream, basic) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char* scan_data1 = "A directed path in a directed graph is a finite"; const char *scan_data2 = " or infinite sequence of edges which joins a " "sequence of distinct vertices"; uuid_t result[64] = {0}; size_t n_hit_result = 0; size_t n_hit_pattern = 0; int thread_id = 0; struct expr_matcher_stream *stream = expr_matcher_stream_open(matcher, thread_id); EXPECT_TRUE(stream != NULL); ret = expr_matcher_stream_match(stream, scan_data1, strlen(scan_data1), result, 64, &n_hit_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_hit_result, 0); EXPECT_EQ(n_hit_pattern, 2); ret = expr_matcher_stream_match(stream, scan_data2, strlen(scan_data2), result, 64, &n_hit_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 113); expr_matcher_stream_close(stream); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher, regex_basic) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); ret = expr_matcher_verify_regex_expression("[0-9]rain", g_logger); EXPECT_EQ(ret, 1); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char *scan_data1 = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; //const char *scan_data2 = "8rain"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 114); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher, regex_basic) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); ret = expr_matcher_verify_regex_expression("[0-9]rain", g_logger); EXPECT_EQ(ret, 1); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char *scan_data1 = "http://www.cyberessays.com/search_results.php?" "action=search&query=username,abckkk,1234567"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 114); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher, regex_unicode) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char *scan_data = "string contains É"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 116); expr_matcher_free(matcher); matcher = NULL; } TEST(rs_expr_matcher, regex_unicode) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_RS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char *scan_data = "string contains É"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 1); EXPECT_EQ(result[0].rule_id, 116); expr_matcher_free(matcher); matcher = NULL; } TEST(hs_expr_matcher, hit_pattern_num) { struct expr_rule rules[64] = {0}; size_t n_rule = 0; int ret = parse_config_file("./expr_matcher.json", rules, &n_rule); EXPECT_EQ(ret, 0); struct expr_matcher *matcher = expr_matcher_new(rules, n_rule, EXPR_ENGINE_TYPE_HS, 1, g_logger); EXPECT_TRUE(matcher != NULL); expr_array_free(rules, n_rule); const char *scan_data1 = "string has one two"; const char *scan_data2 = "string has one two three"; uuid_t result[64] = {0}; size_t n_result = 0; size_t n_hit_pattern = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 0); EXPECT_EQ(n_result, 0); EXPECT_EQ(n_hit_pattern, 2); ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result, &n_hit_pattern); EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(n_hit_pattern, 3); EXPECT_EQ(result[0].rule_id, 115); expr_matcher_free(matcher); matcher = NULL; } int main(int argc, char **argv) { int ret = 0; ::testing::InitGoogleTest(&argc, argv); g_logger = log_handle_create("./expr_matcher_gtest.log", 0); ret = RUN_ALL_TESTS(); log_handle_destroy(g_logger); return ret; }