diff --git a/ctest/CMakeLists.txt b/ctest/CMakeLists.txt index 8720ddd..c784609 100644 --- a/ctest/CMakeLists.txt +++ b/ctest/CMakeLists.txt @@ -12,6 +12,7 @@ add_test(NAME COPY_GTEST_MAAT_RULE COMMAND sh -c "cp -r ${CMAKE_SOURCE_DIR}/test add_test(NAME COPY_GTEST_PROFILE_RESPONSE_PAGES COMMAND sh -c "cp -r ${CMAKE_SOURCE_DIR}/test/bin/foreign_files ${CMAKE_BINARY_DIR}/testing/") add_test(NAME COPY_GTEST_PROXY_PCAP COMMAND sh -c "cp -r ${CMAKE_SOURCE_DIR}/test/pcap ${CMAKE_BINARY_DIR}/testing/") +add_test(NAME COPY_GTEST_TABLEINFO_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/src/gtest_tableinfo ${CMAKE_BINARY_DIR}/testing/") add_test(NAME COPY_GTEST_RULE_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/src/gtest_rule ${CMAKE_BINARY_DIR}/testing/") add_test(NAME COPY_GTEST_BRIDGE_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/src/gtest_bridge ${CMAKE_BINARY_DIR}/testing/") add_test(NAME COPY_GTEST_ACTION_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/src/gtest_action ${CMAKE_BINARY_DIR}/testing/") @@ -22,6 +23,7 @@ add_test(NAME COPY_GTEST_FIELDSTAT3_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/te add_test(NAME COPY_GTEST_PROXY_BIN COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/src/gtest_proxy ${CMAKE_BINARY_DIR}/testing/") set(GTEST_RUN_DIR ${CMAKE_BINARY_DIR}/testing) +add_test(NAME GTEST_TABLEINFO COMMAND gtest_tableinfo WORKING_DIRECTORY ${GTEST_RUN_DIR}) add_test(NAME GTEST_RULE COMMAND gtest_rule WORKING_DIRECTORY ${GTEST_RUN_DIR}) add_test(NAME GTEST_BRIDGE COMMAND gtest_bridge WORKING_DIRECTORY ${GTEST_RUN_DIR}) add_test(NAME GTEST_ACTION COMMAND gtest_action WORKING_DIRECTORY ${GTEST_RUN_DIR}) diff --git a/test/bin/gtest_maat.json b/test/bin/gtest_maat.json index 763509c..9cd4608 100644 --- a/test/bin/gtest_maat.json +++ b/test/bin/gtest_maat.json @@ -128,6 +128,2180 @@ ] } ] + }, + { + "compile_id": 5, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_HTTP_HOST", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "http_host_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 6, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_HTTP_HOST_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1002, + "up_boundary": 1003 + } + } + ] + } + ] + }, + { + "compile_id": 7, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_HTTP_URL", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_URL", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "http_url_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 8, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_HTTP_REQ_HDR", + "regions": [ + { + "table_type": "expr_plus", + "table_name": "TSG_OBJ_HTTP_SIGNATURE", + "table_content": { + "district": "Content-Type", + "format": "uncase plain", + "match_method": "complete", + "keywords": "application/json;charset=UTF-8", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 9, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_HTTP_RES_HDR", + "regions": [ + { + "table_type": "expr_plus", + "table_name": "TSG_OBJ_HTTP_SIGNATURE", + "table_content": { + "district": "Cookie", + "format": "uncase plain", + "match_method": "complete", + "keywords": "GeoIP=HK:::22.26:114.17:v4;enwikimwuser-sessionId=d8fe6d620b7c8db3e5db;WMF-Last-Access=16-Jan-2023;WMF-Last-Access-Global=16-Jan-2023;", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 10, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 2, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_HTTP_REQ_BODY", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "TSG_FIELD_HTTP_REQ_BODY_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 11, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 2, + "tags": "{}", + "user_region": "{\"protocol\":\"HTTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_HTTP_RES_BODY", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "TSG_FIELD_HTTP_RES_BODY_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 12, + "service": 3, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_SSL_SNI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_sni_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 13, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_SSL_SNI_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1002, + "up_boundary": 1003 + } + } + ] + } + ] + }, + { + "compile_id": 14, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_SSL_CN", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_cn_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 15, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_SSL_CN_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1005, + "up_boundary": 1006 + } + } + ] + } + ] + }, + { + "compile_id": 16, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_SSL_SAN", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_san_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 17, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_SSL_SAN_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 18, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"DNS\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_DNS_QNAME", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "dns_qname_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 19, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"DNS\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_DNS_QNAME_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1009, + "up_boundary": 1010 + } + } + ] + } + ] + }, + { + "compile_id": 20, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"QUIC\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_QUIC_SNI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "quic_sni_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 21, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"QUIC\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_QUIC_SNI_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1011, + "up_boundary": 1012 + } + } + ] + } + ] + }, + { + "compile_id": 22, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_ACCOUNT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "username_policy_id_1@gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 23, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_FROM", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "username_policy_id_1@gtest.com_from", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 24, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_TO", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "username_policy_id_1@gtest.com_to", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 25, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_SUBJECT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_25_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 26, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_CONTENT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_26_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 27, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_ATT_NAME", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_27_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 28, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_MAIL_ATT_CONTENT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_28_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 29, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"FTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_FTP_URI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_URL", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ftp_url_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 30, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"MAIL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_FTP_CONTENT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_30_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 31, + "service": 3, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"FTP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_FTP_ACCOUNT", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "subjet_policy_id_31_gtest.com", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 32, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "2.111", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_SOURCE_ADDR", + "regions": [ + { + "table_type": "ip_plus", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "255.255.255.254", + "ip2": "255.255.255.254", + "port_format": "range", + "port1": "0", + "port2": "30001", + "protocol": 6 + } + } + ] + } + ] + }, + { + "compile_id": 33, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "2.111", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_SOURCE_ADDR", + "regions": [ + { + "table_type": "ip_plus", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "255.255.255.254", + "ip2": "255.255.255.254", + "port_format": "range", + "port1": "30001", + "port2": "65535", + "protocol": 17 + } + } + ] + } + ] + }, + { + "compile_id": 34, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "2.111", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_DESTINATION_ADDR", + "regions": [ + { + "table_type": "ip_plus", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "255.255.255.253", + "ip2": "255.255.255.253", + "port_format": "range", + "port1": "0", + "port2": "30000", + "protocol": 6 + } + } + ] + } + ] + }, + { + "compile_id": 35, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "2.111", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_DESTINATION_ADDR", + "regions": [ + { + "table_type": "ip_plus", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "255.255.255.253", + "ip2": "255.255.255.253", + "port_format": "range", + "port1": "30001", + "port2": "65535", + "protocol": 17 + } + } + ] + } + ] + }, + { + "compile_id": 36, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_SOURCE_ASN", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_AS_NUMBER", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "source_asn_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 37, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_DESTINATION_ASN", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_AS_NUMBER", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "destination_asn_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 38, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_SOURCE_LOCATION", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_GEO_LOCATION", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "country_full_test.city_full_test.", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 39, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_DESTINATION_LOCATION", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_GEO_LOCATION", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "country_full_test.city_full_test.", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 40, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"VOIP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "sip_region_buff_SIP_ORIGINATOR_DESCRIPTION", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 41, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"VOIP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_SIP_RESPONDER_DESCRIPTION", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_ACCOUNT", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "sip_region_buff_SIP_RESPONDER_DESCRIPTION", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 42, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FILED_GTP_IMSI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_IMSI", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "gtp_imsi_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 43, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FILED_GTP_PHONE_NUMBER", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_PHONE_NUMBER", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "13766688899", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 44, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FILED_GTP_APN", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_APN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "gtp_apn_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 45, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_DECYPTION_EXCLUSION_SSL_SNI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "DECYPTION_EXCLUSION_SSL_SNI_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 46, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "0.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_TUNNEL", + "regions": [ + { + "table_name": "TSG_OBJ_TUNNEL_ID", + "table_type": "interval", + "table_content": { + "low_boundary": 4, + "up_boundary": 6 + } + } + ] + } + ] + }, + { + "compile_id": 47, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "0.0", + "groups": [ + { + "group_name": "flags", + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_SECURITY_FLAG", + "regions": [ + { + "table_type": "flag", + "table_name": "TSG_OBJ_FLAG", + "table_content": { + "flag": 8, + "flag_mask": 8 + } + } + ] + } + ] + }, + { + "compile_id": 48, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "virtual_table": "TSG_FIELD_DTLS_SNI", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_FQDN", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "dtls_sni_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 49, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"DTLS\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "TSG_FIELD_DTLS_SNI_CAT", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN_CAT", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 50, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.payload.c2s_first_data", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_tcp_c2s_first_payload", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 51, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.payload.s2c_first_data", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_tcp_s2c_first_payload", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 52, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.payload.c2s_first_data_len", + "regions": [ + { + "table_name": "TSG_OBJ_INTERVAL", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 53, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.payload.s2c_first_data_len", + "regions": [ + { + "table_name": "TSG_OBJ_INTERVAL", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 54, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.payload", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_tcp_payload", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 55, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.syn.fingerprint", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_tcp_syn_fingerprint", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 56, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"TCP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "tcp.sack.fingerprint", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_tcp_sack_fingerprint", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 57, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"UDP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "udp.payload.c2s_first_data", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_udp_payload_c2s_first_data", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 58, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"UDP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "udp.payload.s2c_first_data", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_udp_payload_s2c_first_data", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 59, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"UDP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "udp.payload.c2s_first_data_len", + "regions": [ + { + "table_name": "TSG_OBJ_INTERVAL", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 60, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{\"protocol\":\"UDP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "udp.payload.s2c_first_data_len", + "regions": [ + { + "table_name": "TSG_OBJ_INTERVAL", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 61, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"UDP\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "udp.payload", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "test_udp_payload", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 62, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.analysis.ja3", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_analysis_ja3_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 63, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.cert.fingerprint", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_cert_fingerprint_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 64, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.cert.serial_number", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_cert_serial_number_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 65, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.issuer_common_name", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_issuer_common_name_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 66, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.issuer_organization_name", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_issuer_organization_name_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 67, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.issuer_country_name", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_issuer_country_name_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 68, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.subject_country_name", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_subject_country_name_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 69, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.subject_organization_name", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_subject_organization_name_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 70, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.not_valid_before", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_not_valid_before_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 71, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.not_valid_after", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_not_valid_after_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 72, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "effective_rage": 0, + "user_region": "{\"protocol\":\"SSL\"}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "ssl.handshake.certificate.algorithm_id", + "regions": [ + { + "table_type": "expr", + "table_name": "TSG_OBJ_KEYWORDS", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "ssl_handshake_certificate_algorithm_id_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 73, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "virtual_table": "general.session.analysis.app_id", + "regions": [ + { + "table_name": "TSG_OBJ_APP_ID", + "table_type": "interval", + "table_content": { + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] + }, + { + "compile_id": 74, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_type": "expr_plus", + "table_name": "APP_SIG_SESSION_ATTRIBUTE_STRING", + "table_content": { + "district": "SIG_SEESION", + "format": "uncase plain", + "match_method": "complete", + "keywords": "sig_session_attribute_string_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 75, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_type": "expr", + "table_name": "APP_SIG_SESSION_ATTRIBUTE_FLAG", + "table_content": { + "format": "uncase plain", + "match_method": "complete", + "keywords": "sig_session_attribute_flag_test", + "expr_type": "none" + } + } + ] + } + ] + }, + { + "compile_id": 76, + "service": 2, + "action": 1, + "do_blacklist": 0, + "do_log": 1, + "tags": "{}", + "user_region": "{}", + "is_valid": "yes", + "evaluation_order": "10.0", + "groups": [ + { + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_name": "APP_SIG_SESSION_ATTRIBUTE_INTEGER", + "table_type": "intval_plus", + "table_content": { + "district": "SIG_SEESION", + "low_boundary": 1007, + "up_boundary": 1008 + } + } + ] + } + ] } ], "plugin_table": [ diff --git a/test/src/CMakeLists.txt b/test/src/CMakeLists.txt index a859cad..c3905d8 100644 --- a/test/src/CMakeLists.txt +++ b/test/src/CMakeLists.txt @@ -12,6 +12,10 @@ LINK_DIRECTORIES(/opt/MESA/lib) add_executable(gtest_rule ${PROJECT_SOURCE_DIR}/src/tsg_rule.cpp ${PROJECT_SOURCE_DIR}/src/tsg_variable.cpp gtest_common.cpp gtest_rule.cpp) target_link_libraries(gtest_rule gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger maat4) + +add_executable(gtest_tableinfo ${PROJECT_SOURCE_DIR}/src/tsg_rule.cpp ${PROJECT_SOURCE_DIR}/src/tsg_variable.cpp gtest_common.cpp gtest_tableinfo.cpp) +target_link_libraries(gtest_tableinfo gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger maat4) + add_executable(gtest_bridge ${PROJECT_SOURCE_DIR}/src/tsg_bridge.cpp ${PROJECT_SOURCE_DIR}/src/tsg_protocol.cpp ${PROJECT_SOURCE_DIR}/src/tsg_variable.cpp gtest_common.cpp gtest_bridge.cpp) target_link_libraries(gtest_bridge gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger maat4) diff --git a/test/src/gtest_tableinfo.cpp b/test/src/gtest_tableinfo.cpp new file mode 100644 index 0000000..dac31bd --- /dev/null +++ b/test/src/gtest_tableinfo.cpp @@ -0,0 +1,1402 @@ +#include +#include +#include + +#include +#include "tsg_rule.h" +#include "tsg_label.h" +#include "tsg_entry.h" +#include "tsg_variable.h" +#include "tsg_rule_internal.h" +#include "tsg_protocol_common.h" + +#include +const struct session_runtime_attribute *session_runtime_attribute_new(const struct streaminfo *a_stream) +{ + return NULL; +} + +const struct session_runtime_attribute *session_runtime_attribute_get(const struct streaminfo *a_stream) +{ + return 0; +} + +int session_runtine_attribute_get_umts_user_info(const struct streaminfo *a_stream, struct umts_user_info **user_info) +{ + return 0; +} + +int session_mirror_packets_sync(const struct streaminfo *a_stream, struct maat_rule *result, struct mirrored_vlan *vlan) +{ + return 0; +} + +int session_capture_packets_sync(const struct streaminfo *a_stream, struct maat_rule *result, int depth) +{ + return 0; +} + +extern struct maat_runtime_para g_tsg_maat_rt_para; +extern size_t tsg_scan_string(const struct streaminfo *a_stream, struct maat *feather, const char *s_data, size_t s_data_len, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); +TEST(TSG_Table, TSG_FIELD_HTTP_HOST) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "http_host_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_HTTP_HOST, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 5); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, http_host) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "http_host_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "http.host"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 5); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_HOST_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1003; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_HOST_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 6); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_URL) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "http_url_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_HTTP_URL, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 7); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_REQ_HDR) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "application/json;charset=UTF-8"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_REQ_HDR"), "Content-Type", strlen("Content-Type")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_REQ_HDR"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 8); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, http_request_header) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "application/json;charset=UTF-8"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "http.request.header"), "Content-Type", strlen("Content-Type")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "http.request.header"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 8); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_RES_HDR) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "GeoIP=HK:::22.26:114.17:v4;enwikimwuser-sessionId=d8fe6d620b7c8db3e5db;WMF-Last-Access=16-Jan-2023;WMF-Last-Access-Global=16-Jan-2023;"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_RES_HDR"), "Cookie", strlen("Cookie")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_RES_HDR"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 9); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, http_response_header) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "GeoIP=HK:::22.26:114.17:v4;enwikimwuser-sessionId=d8fe6d620b7c8db3e5db;WMF-Last-Access=16-Jan-2023;WMF-Last-Access-Global=16-Jan-2023;"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "http.response.header"), "Cookie", strlen("Cookie")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "http.response.header"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 9); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_REQ_BODY) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "TSG_FIELD_HTTP_REQ_BODY_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_REQ_BODY"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 10); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_HTTP_RES_BODY) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "TSG_FIELD_HTTP_RES_BODY_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_HTTP_RES_BODY"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 11); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_SNI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_sni_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_SSL_SNI, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 12); + EXPECT_EQ(results[0].service_id, 3); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_extensions_server_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_sni_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.extensions_server_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 12); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_SNI_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1002; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SSL_SNI_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 13); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_CN) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_cn_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SSL_CN"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 14); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_subject_common_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_cn_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.subject_common_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 14); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_CN_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1005; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SSL_CN_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 15); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_SAN) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_san_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SSL_SAN"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 16); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SSL_SAN_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SSL_SAN_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 17); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_DNS_QNAME) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "dns_qname_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_DNS_QNAME"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 18); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, dns_qry_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "dns_qname_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "dns.qry.name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 18); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_DNS_QNAME_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1009; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_DNS_QNAME_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 19); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_QUIC_SNI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "quic_sni_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_QUIC_SNI"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 20); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, quic_sni) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "quic_sni_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "quic.sni"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 20); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_QUIC_SNI_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1011; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_QUIC_SNI_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 21); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_ACCOUNT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "username_policy_id_1@gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_ACCOUNT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 22); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_FROM) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "username_policy_id_1@gtest.com_from"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_FROM"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 23); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_TO) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "username_policy_id_1@gtest.com_to"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_TO"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 24); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_SUBJECT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_25_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_SUBJECT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 25); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_CONTENT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_26_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_CONTENT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 26); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_ATT_NAME) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_27_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_ATT_NAME"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 27); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_MAIL_ATT_CONTENT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_28_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_MAIL_ATT_CONTENT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 28); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_FTP_URI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ftp_url_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_FTP_URI"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 29); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_FTP_CONTENT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_30_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_FTP_CONTENT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 30); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_FTP_ACCOUNT) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "subjet_policy_id_31_gtest.com"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_FTP_ACCOUNT"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 31); + maat_state_free(mid); + mid = NULL; +} + +extern size_t tsg_scan_ipv4_address(const struct streaminfo *a_stream, struct maat *feather, struct ipaddr *p_addr, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *rules, size_t n_rules); +TEST(TSG_Table, TSG_SECURITY_SOURCE_ADDR) +{ + struct streaminfo a_stream = {0}; + a_stream.type = STREAM_TYPE_TCP; + struct ipaddr p_addr = {0}; + struct stream_tuple4_v4 tuple4_v4 = {0}; + p_addr.v4 = &tuple4_v4; + p_addr.v4->saddr = inet_addr("255.255.255.254"); + p_addr.v4->source = htons(1); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ipv4_address((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &p_addr, MAAT_SCAN_SRC_IP_ADDR, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 32); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ip_src) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ip.src"), inet_addr("255.255.255.254"), htons(1), 6, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 32); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_srcport) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.srcport"), inet_addr("255.255.255.254"), htons(1), 6, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 32); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_srcport) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.srcport"), inet_addr("255.255.255.254"), htons(30002), 17, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 33); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_SECURITY_DESTINATION_ADDR) +{ + struct streaminfo a_stream = {0}; + a_stream.type = STREAM_TYPE_TCP; + struct ipaddr p_addr = {0}; + struct stream_tuple4_v4 tuple4_v4 = {0}; + p_addr.v4 = &tuple4_v4; + p_addr.v4->saddr = inet_addr("255.255.255.253"); + p_addr.v4->source = htons(1); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ipv4_address((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &p_addr, MAAT_SCAN_DST_IP_ADDR, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 34); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ip_dst) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ip.dst"), inet_addr("255.255.255.253"), htons(1), 6, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 34); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_dstport) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.dstport"), inet_addr("255.255.255.253"), htons(1), 6, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 34); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_dstport) +{ + struct streaminfo a_stream = {0}; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_ipv4(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.dstport"), inet_addr("255.255.255.253"), htons(30002), 17, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 35); + maat_state_free(mid); + mid = NULL; +} + +extern size_t tsg_scan_ip_asn(const struct streaminfo *a_stream, struct maat *feather, struct asn_info *asn, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_result); +TEST(TSG_Table, TSG_SECURITY_SOURCE_ASN) +{ + struct streaminfo a_stream = {0}; + struct asn_info asn = {0}; + asn.asn_id = (char *)"source_asn_test"; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ip_asn((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &asn, MAAT_SCAN_SRC_ASN, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 36); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_SECURITY_DESTINATION_ASN) +{ + struct streaminfo a_stream = {0}; + struct asn_info asn = {0}; + asn.asn_id = (char *)"destination_asn_test"; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ip_asn((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &asn, MAAT_SCAN_DST_ASN, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 37); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +extern size_t tsg_scan_ip_location(const struct streaminfo *a_stream, struct maat *feather, struct location_info *location, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); +TEST(TSG_Table, TSG_SECURITY_SOURCE_LOCATION) +{ + struct streaminfo a_stream = {0}; + struct location_info location = {0}; + location.country_full = (char *)"country_full_test"; + location.city_full = (char *)"city_full_test"; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ip_location((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &location, MAAT_SCAN_SRC_LOCATION, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 38); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_SECURITY_DESTINATION_LOCATION) +{ + struct streaminfo a_stream = {0}; + struct location_info location = {0}; + location.country_full = (char *)"country_full_test"; + location.city_full = (char *)"city_full_test"; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_ip_location((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &location, MAAT_SCAN_DST_LOCATION, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 39); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "sip_region_buff_SIP_ORIGINATOR_DESCRIPTION"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 40); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_SIP_RESPONDER_DESCRIPTION) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "sip_region_buff_SIP_RESPONDER_DESCRIPTION"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_SIP_RESPONDER_DESCRIPTION"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 41); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FILED_GTP_IMSI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "gtp_imsi_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_GTP_IMSI, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 42); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FILED_GTP_PHONE_NUMBER) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "13766688899"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_GTP_PHONE_NUMBER, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 43); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FILED_GTP_APN) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "gtp_apn_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_GTP_APN, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 44); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_DECYPTION_EXCLUSION_SSL_SNI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "DECYPTION_EXCLUSION_SSL_SNI_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_EXCLUSION_SSL_SNI, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 45); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +extern size_t tsg_scan_integer(const struct streaminfo *a_stream, struct maat *feather, long long s_integer, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); +TEST(TSG_Table, TSG_SECURITY_TUNNEL) +{ + const struct streaminfo a_stream = {0}; + long long s_integer = 5; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_integer(&a_stream, g_tsg_maat_feather, s_integer, MAAT_SCAN_TUNNEL_ID, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 46); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +extern size_t tsg_scan_session_flags(const struct streaminfo *a_stream, struct maat *feather, unsigned long flag, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); +TEST(TSG_Table, TSG_SECURITY_FLAG) +{ + const struct streaminfo a_stream = {0}; + unsigned long flag = 8; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_session_flags(&a_stream, g_tsg_maat_feather, flag, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 47); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_DTLS_SNI) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "dtls_sni_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + struct maat_rule results[MAX_RESULT_NUM] = {0}; + EXPECT_EQ(tsg_scan_string(&a_stream, g_tsg_maat_feather, s_data, s_data_len, MAAT_SCAN_DTLS_SNI, mid, results, MAX_RESULT_NUM), 1); + EXPECT_EQ(results[0].rule_id, 48); + EXPECT_EQ(results[0].service_id, 2); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, TSG_FIELD_DTLS_SNI_CAT) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "TSG_FIELD_DTLS_SNI_CAT"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 49); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_payload_c2s_first_data) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_tcp_c2s_first_payload"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.payload.c2s_first_data"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 50); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_payload_s2c_first_data) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_tcp_s2c_first_payload"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.payload.s2c_first_data"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 51); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_payload_c2s_first_data_len) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.payload.c2s_first_data_len"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 52); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_payload_s2c_first_data_len) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.payload.s2c_first_data_len"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 53); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_payload) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_tcp_payload"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.payload"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 54); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_syn_fingerprint) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_tcp_syn_fingerprint"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.syn.fingerprint"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 55); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, tcp_sack_fingerprint) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_tcp_sack_fingerprint"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "tcp.sack.fingerprint"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 56); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_payload_c2s_first_data) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_udp_payload_c2s_first_data"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.payload.c2s_first_data"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 57); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_payload_s2c_first_data) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_udp_payload_s2c_first_data"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.payload.s2c_first_data"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 58); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_payload_c2s_first_data_len) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.payload.c2s_first_data_len"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 59); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_payload_s2c_first_data_len) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.payload.s2c_first_data_len"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 60); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, udp_payload) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "test_udp_payload"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "udp.payload"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 61); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_analysis_ja3) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_analysis_ja3_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.analysis.ja3"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 62); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_cert_fingerprint) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_cert_fingerprint_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.cert.fingerprint"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 63); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_cert_serial_number) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_cert_serial_number_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.cert.serial_number"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 64); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_issuer_common_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_issuer_common_name_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.issuer_common_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 65); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_issuer_organization_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_issuer_organization_name_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.issuer_organization_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 66); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_issuer_country_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_issuer_country_name_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.issuer_country_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 67); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_subject_country_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_subject_country_name_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.subject_country_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 68); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_subject_organization_name) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_subject_organization_name_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.subject_organization_name"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 69); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_not_valid_before) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_not_valid_before_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.not_valid_before"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 70); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_not_valid_after) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_not_valid_after_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.not_valid_after"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 71); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, ssl_handshake_certificate_algorithm_id) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "ssl_handshake_certificate_algorithm_id_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "ssl.handshake.certificate.algorithm_id"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 72); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, general_session_analysis_app_id) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "general.session.analysis.app_id"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 73); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, APP_SIG_SESSION_ATTRIBUTE_STRING) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "sig_session_attribute_string_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "APP_SIG_SESSION_ATTRIBUTE_STRING"), "SIG_SEESION", strlen("SIG_SEESION")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "APP_SIG_SESSION_ATTRIBUTE_STRING"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 74); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, APP_SIG_SESSION_ATTRIBUTE_FLAG) +{ + const struct streaminfo a_stream = {0}; + const char *s_data = "sig_session_attribute_flag_test"; + size_t s_data_len = strlen(s_data); + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_string(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "APP_SIG_SESSION_ATTRIBUTE_FLAG"), s_data, s_data_len, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 75); + maat_state_free(mid); + mid = NULL; +} + +TEST(TSG_Table, APP_SIG_SESSION_ATTRIBUTE_INTEGER) +{ + const struct streaminfo a_stream = {0}; + long long integer = 1007; + struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); + maat_state_set_scan_district(mid, maat_get_table_id(g_tsg_maat_feather, "APP_SIG_SESSION_ATTRIBUTE_INTEGER"), "SIG_SEESION", strlen("SIG_SEESION")); + + size_t n_matched_rules = 0; + long long matched_rules[MAX_RESULT_NUM]; + int is_hited = maat_scan_integer(g_tsg_maat_feather, maat_get_table_id(g_tsg_maat_feather, "APP_SIG_SESSION_ATTRIBUTE_INTEGER"), integer, matched_rules, MAX_RESULT_NUM, &n_matched_rules, mid); + EXPECT_EQ(is_hited, MAAT_SCAN_HIT); + EXPECT_EQ(n_matched_rules, 1); + EXPECT_EQ(matched_rules[0], 76); + maat_state_free(mid); + mid = NULL; +} +int main(int argc, char *argv[]) +{ + tsg_maat_rule_init("tsgconf/main.conf"); + testing::InitGoogleTest(&argc, argv); + return RUN_ALL_TESTS(); +} \ No newline at end of file