diff options
| author | 刘文坛 <[email protected]> | 2023-10-18 03:32:53 +0000 |
|---|---|---|
| committer | 刘文坛 <[email protected]> | 2023-10-18 03:32:53 +0000 |
| commit | 613b5b3dcf749bc6773fd9883ab4d030c1c3e36e (patch) | |
| tree | e60bd3fe0d59c5447d403199e7b7e3c97b0b1710 /test | |
| parent | 48af7e7aac84f673bf39a5679503bc891407a182 (diff) | |
[FEATURE]Refactor NOT clause, NOTE:forward incompatibility!!!
Diffstat (limited to 'test')
| -rw-r--r-- | test/expr_matcher_gtest.cpp | 86 | ||||
| -rw-r--r-- | test/maat_framework_gtest.cpp | 610 | ||||
| -rw-r--r-- | test/maat_framework_perf_gtest.cpp | 34 | ||||
| -rw-r--r-- | test/maat_json.json | 611 | ||||
| -rw-r--r-- | test/table_info.conf | 60 |
5 files changed, 1228 insertions, 173 deletions
diff --git a/test/expr_matcher_gtest.cpp b/test/expr_matcher_gtest.cpp index 5cfd5f5..bb70306 100644 --- a/test/expr_matcher_gtest.cpp +++ b/test/expr_matcher_gtest.cpp @@ -305,7 +305,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_normal_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 101); @@ -313,7 +313,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_normal_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 101); @@ -352,7 +352,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_normal_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 101); @@ -360,7 +360,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_normal_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 101); @@ -392,7 +392,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_left_unlimit_offset) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -400,7 +400,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_left_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -408,7 +408,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_left_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -440,7 +440,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_left_unlimit_offset) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -448,7 +448,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_left_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -456,7 +456,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_left_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 102); @@ -502,7 +502,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -510,7 +510,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -518,7 +518,7 @@ TEST(hs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data5, strlen(scan_data5), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -557,7 +557,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -565,7 +565,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -573,7 +573,7 @@ TEST(rs_expr_matcher_match, literal_sub_has_right_unlimit_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data5, strlen(scan_data5), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 103); @@ -597,7 +597,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_no_offset) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -605,7 +605,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_no_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -613,7 +613,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_no_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -644,7 +644,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_no_offset) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -652,7 +652,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_no_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -660,7 +660,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_no_offset) memset(result, 0, sizeof(result)); n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data3, strlen(scan_data3), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 104); @@ -692,7 +692,7 @@ TEST(hs_expr_matcher_match, literal_exactly) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 105); @@ -733,7 +733,7 @@ TEST(rs_expr_matcher_match, literal_exactly) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 105); @@ -774,7 +774,7 @@ TEST(hs_expr_matcher_match, literal_prefix) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 106); @@ -799,7 +799,7 @@ TEST(hs_expr_matcher_match, literal_prefix) n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 106); @@ -824,7 +824,7 @@ TEST(rs_expr_matcher_match, literal_prefix) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 106); @@ -849,7 +849,7 @@ TEST(rs_expr_matcher_match, literal_prefix) n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data4, strlen(scan_data4), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 106); @@ -874,7 +874,7 @@ TEST(hs_expr_matcher_match, literal_suffix) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 107); @@ -883,7 +883,7 @@ TEST(hs_expr_matcher_match, literal_suffix) n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 107); @@ -924,7 +924,7 @@ TEST(rs_expr_matcher_match, literal_suffix) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 107); @@ -933,7 +933,7 @@ TEST(rs_expr_matcher_match, literal_suffix) n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data2, strlen(scan_data2), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 107); @@ -973,7 +973,7 @@ TEST(hs_expr_matcher_match, literal_sub_with_hex) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 108); @@ -1005,7 +1005,7 @@ TEST(rs_expr_matcher_match, literal_sub_with_hex) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 108); @@ -1037,7 +1037,7 @@ TEST(hs_expr_matcher_match, literal_with_chinese) struct expr_scan_result result0[64] = {0}; size_t n_result0 = 0; ret = expr_matcher_match(matcher, 0, data0, strlen(data0), result0, 64, &n_result0); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result0, 1); EXPECT_EQ(result0[0].rule_id, 110); @@ -1061,7 +1061,7 @@ TEST(rs_expr_matcher_match, literal_with_chinese) struct expr_scan_result result0[64] = {0}; size_t n_result0 = 0; ret = expr_matcher_match(matcher, 0, data0, strlen(data0), result0, 64, &n_result0); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result0, 1); EXPECT_EQ(result0[0].rule_id, 110); @@ -1085,7 +1085,7 @@ TEST(hs_expr_matcher_match, same_pattern_different_offset) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, data, strlen(data), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 112); @@ -1109,7 +1109,7 @@ TEST(rs_expr_matcher_match, same_pattern_different_offset) struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, data, strlen(data), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 112); @@ -1135,7 +1135,7 @@ that the edges be all directed in the same direction."; struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 113); @@ -1161,7 +1161,7 @@ that the edges be all directed in the same direction."; struct expr_scan_result result[64] = {0}; size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data, strlen(scan_data), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 113); @@ -1213,7 +1213,7 @@ TEST(hs_expr_matcher_stream, basic) EXPECT_EQ(n_hit_result, 0); ret = expr_matcher_stream_match(stream, scan_data2, strlen(scan_data2), result, 64, &n_hit_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(result[0].rule_id, 113); @@ -1249,7 +1249,7 @@ TEST(rs_expr_matcher_stream, basic) EXPECT_EQ(n_hit_result, 0); ret = expr_matcher_stream_match(stream, scan_data2, strlen(scan_data2), result, 64, &n_hit_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(result[0].rule_id, 113); @@ -1308,7 +1308,7 @@ TEST(rs_expr_matcher, regex_basic) size_t n_result = 0; ret = expr_matcher_match(matcher, 0, scan_data1, strlen(scan_data1), result, 64, &n_result); - EXPECT_EQ(ret, 0); + EXPECT_EQ(ret, 1); EXPECT_EQ(n_result, 1); EXPECT_EQ(result[0].rule_id, 114); diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index e2fd6b1..fad32d6 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -776,7 +776,7 @@ TEST_F(MaatHsStringScan, Regex) { ret = maat_scan_string(maat_inst, table_id, cookie, strlen(cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(results[0], 146); + EXPECT_EQ(results[0], 148); maat_state_free(state); state = NULL; } @@ -864,7 +864,7 @@ TEST_F(MaatHsStringScan, ExprPlusWithOffset) ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_hit, sizeof(udp_payload_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(results[0], 148); + EXPECT_EQ(results[0], 149); maat_state_free(state); state = NULL; @@ -1446,7 +1446,7 @@ TEST_F(MaatRsStringScan, Regex) { ret = maat_scan_string(maat_inst, table_id, cookie, strlen(cookie), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(results[0], 146); + EXPECT_EQ(results[0], 148); maat_state_free(state); state = NULL; } @@ -1534,7 +1534,7 @@ TEST_F(MaatRsStringScan, ExprPlusWithOffset) ret = maat_scan_string(maat_inst, table_id, (char*)udp_payload_hit, sizeof(udp_payload_hit), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(results[0], 148); + EXPECT_EQ(results[0], 149); maat_state_free(state); state = NULL; @@ -2623,7 +2623,7 @@ protected: struct maat *MaatIntervalScan::_shared_maat_inst; struct log_handle *MaatIntervalScan::logger; -TEST_F(MaatIntervalScan, Pure) { +TEST_F(MaatIntervalScan, IntegerRange) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; @@ -2648,6 +2648,27 @@ TEST_F(MaatIntervalScan, Pure) { state = NULL; } +TEST_F(MaatIntervalScan, SingleInteger) { + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name = "CONTENT_SIZE"; + struct maat *maat_inst = MaatIntervalScan::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id = maat_get_table_id(maat_inst, table_name); + unsigned int scan_data1 = 3000; + + int ret = maat_scan_integer(maat_inst, table_id, scan_data1, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 218); + + maat_state_free(state); + state = NULL; +} + TEST_F(MaatIntervalScan, IntervalPlus) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -2724,14 +2745,13 @@ TEST_F(NOTLogic, OneRegion) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; - const char *table_name = "HTTP_URL"; + const char *table_name = "HTTP_URL_FILTER"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); - maat_state_enable_compile_NOT(state); int ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), results, ARRAY_SIZE, &n_hit_result, state); @@ -2751,40 +2771,50 @@ TEST_F(NOTLogic, ScanNotAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-144 " "and must-not-contained-string-of-rule-144."; + const char *string_contain_nothing = "This string contains nothing."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; - const char *hit_table_name = "HTTP_URL"; - const char *not_hit_table_name = "KEYWORDS_TABLE"; + const char *hit_table_name = "HTTP_URL_FILTER"; + const char *not_hit_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); int hit_table_id = maat_get_table_id(maat_inst, hit_table_name); ASSERT_GT(hit_table_id, 0); - int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, strlen(string_should_hit), - results, ARRAY_SIZE, &n_hit_result, state); + int ret = maat_scan_string(maat_inst, hit_table_id, string_should_hit, + strlen(string_should_hit), results, ARRAY_SIZE, + &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); - maat_state_enable_compile_NOT(state); - ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), - results, ARRAY_SIZE, &n_hit_result, state); + ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, + strlen(string_should_not_hit), results, ARRAY_SIZE, + &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + ret = maat_scan_string(maat_inst, not_hit_table_id, string_contain_nothing, + strlen(string_contain_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 144); + maat_state_free(state); state = NULL; } TEST_F(NOTLogic, ScanIrrelavantAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-144."; - const char *string_irrelevant = "This string contiains nothing to hit."; + const char *string_irrelevant = "This string contains nothing to hit."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; - const char *hit_table_name = "HTTP_URL"; - const char *not_hit_table_name = "KEYWORDS_TABLE"; + const char *hit_table_name = "HTTP_URL_FILTER"; + const char *not_hit_table_name = "HTTP_RESPONSE_KEYWORDS"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); @@ -2798,7 +2828,6 @@ TEST_F(NOTLogic, ScanIrrelavantAtLast) { int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(hit_table_id, 0); - maat_state_enable_compile_NOT(state); ret = maat_scan_string(maat_inst, not_hit_table_id, string_irrelevant, strlen(string_irrelevant), results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); @@ -2814,7 +2843,7 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; - const char *not_hit_table_name = "HTTP_URL"; + const char *not_hit_table_name = "HTTP_URL_FILTER"; const char *hit_table_name = "IP_PLUS_CONFIG"; const char *empty_table_name = "EMPTY_KEYWORD"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; @@ -2826,7 +2855,7 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { int ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); uint32_t sip; inet_pton(AF_INET, "10.0.8.186", &sip); @@ -2838,18 +2867,18 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyExpr) { ret = maat_scan_ipv4(maat_inst, hit_table_id, sip, port, proto, results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 186); int empty_table_id = maat_get_table_id(maat_inst, empty_table_name); ASSERT_GT(empty_table_id, 0); - maat_state_enable_compile_NOT(state); ret = maat_scan_string(maat_inst, empty_table_id, string_match_no_region, strlen(string_match_no_region), results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 186); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_free(state); state = NULL; } @@ -2859,7 +2888,7 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; - const char *not_hit_table_name = "HTTP_URL"; + const char *not_hit_table_name = "HTTP_URL_FILTER"; const char *hit_table_name = "IP_PLUS_CONFIG"; const char *empty_table_name = "EMPTY_INTERGER"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; @@ -2871,7 +2900,7 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { int ret = maat_scan_string(maat_inst, not_hit_table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); uint32_t sip; inet_pton(AF_INET, "10.0.8.187", &sip); @@ -2883,16 +2912,17 @@ TEST_F(NOTLogic, ScanHitAtLastEmptyInteger) { ret = maat_scan_ipv4(maat_inst, hit_table_id, sip, port, proto, results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 187); int empty_table_id = maat_get_table_id(maat_inst, empty_table_name); ASSERT_GT(empty_table_id, 0); - maat_state_enable_compile_NOT(state); ret = maat_scan_integer(maat_inst, empty_table_id, 2015, results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(results[0], 187); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_free(state); state = NULL; } @@ -2903,7 +2933,7 @@ TEST_F(NOTLogic, ScanNotIP) { size_t n_hit_result = 0; int thread_id = 0; const char *hit_table_name = "HTTP_URL"; - const char *not_hit_table_name = "IP_CONFIG"; + const char *not_hit_table_name = "VIRTUAL_IP_CONFIG"; struct maat *maat_inst = NOTLogic::_shared_maat_inst; struct maat_state *state = maat_state_new(maat_inst, thread_id); @@ -2923,10 +2953,232 @@ TEST_F(NOTLogic, ScanNotIP) { int not_hit_table_id = maat_get_table_id(maat_inst, not_hit_table_name); ASSERT_GT(not_hit_table_id, 0); - maat_state_enable_compile_NOT(state); ret = maat_scan_ipv4(maat_inst, not_hit_table_id, sip, port, proto, results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + inet_pton(AF_INET, "10.1.0.0", &sip); + ret = maat_scan_ipv4(maat_inst, not_hit_table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 145); + + maat_state_free(state); + state = NULL; +} + +TEST_F(NOTLogic, MultiNotClause) { + const char *string_should_half_hit = "This string ONLY contains must-contained-string-of-rule-146."; + const char *string_should_not_hit = "This string contains must-contained-string-of-rule-146 and " + "must-contained-not-string-of-rule-146."; + const char *string_nothing = "This string contain nothing"; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *url_table_name = "HTTP_URL_FILTER"; + const char *ip_table_name = "VIRTUAL_IP_CONFIG"; + const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; + struct maat *maat_inst = NOTLogic::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int url_table_id = maat_get_table_id(maat_inst, url_table_name); + ASSERT_GT(url_table_id, 0); + + int ret = maat_scan_string(maat_inst, url_table_id, string_should_half_hit, + strlen(string_should_half_hit), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + uint32_t sip; + inet_pton(AF_INET, "10.1.0.0", &sip); + uint16_t port = htons(50001); + int proto = 6; + + int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); + ASSERT_GT(ip_table_id, 0); + + ret = maat_scan_ipv4(maat_inst, ip_table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int http_table_id = maat_get_table_id(maat_inst, http_table_name); + ASSERT_GT(http_table_id, 0); + + ret = maat_scan_string(maat_inst, http_table_id, string_should_not_hit, + strlen(string_should_not_hit), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + ret = maat_scan_string(maat_inst, http_table_id, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 146); + + maat_state_free(state); + state = NULL; +} + +TEST_F(NOTLogic, EightNotClause) { + const char *string_nothing = "This string contain nothing"; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *table_name1 = "HTTP_RESPONSE_KEYWORDS_1"; + const char *table_name2 = "HTTP_RESPONSE_KEYWORDS_2"; + const char *table_name3 = "HTTP_RESPONSE_KEYWORDS_3"; + const char *table_name4 = "HTTP_RESPONSE_KEYWORDS_4"; + const char *table_name5 = "HTTP_RESPONSE_KEYWORDS_5"; + const char *table_name6 = "HTTP_RESPONSE_KEYWORDS_6"; + const char *table_name7 = "HTTP_RESPONSE_KEYWORDS_7"; + const char *table_name8 = "HTTP_RESPONSE_KEYWORDS_8"; + struct maat *maat_inst = NOTLogic::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int table_id1 = maat_get_table_id(maat_inst, table_name1); + ASSERT_GT(table_id1, 0); + + int ret = maat_scan_string(maat_inst, table_id1, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id2 = maat_get_table_id(maat_inst, table_name2); + ASSERT_GT(table_id2, 0); + + ret = maat_scan_string(maat_inst, table_id2, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id3 = maat_get_table_id(maat_inst, table_name3); + ASSERT_GT(table_id3, 0); + + ret = maat_scan_string(maat_inst, table_id3, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id4 = maat_get_table_id(maat_inst, table_name4); + ASSERT_GT(table_id4, 0); + + ret = maat_scan_string(maat_inst, table_id4, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id5 = maat_get_table_id(maat_inst, table_name5); + ASSERT_GT(table_id5, 0); + + ret = maat_scan_string(maat_inst, table_id5, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id6 = maat_get_table_id(maat_inst, table_name6); + ASSERT_GT(table_id6, 0); + + ret = maat_scan_string(maat_inst, table_id6, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id7 = maat_get_table_id(maat_inst, table_name7); + ASSERT_GT(table_id7, 0); + + ret = maat_scan_string(maat_inst, table_id7, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int table_id8 = maat_get_table_id(maat_inst, table_name8); + ASSERT_GT(table_id8, 0); + + ret = maat_scan_string(maat_inst, table_id8, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 147); + + maat_state_free(state); + state = NULL; +} + +TEST_F(NOTLogic, NotClauseAndExcludeGroup1) { + const char *string_should_not_hit = "This string ONLY contains must-contained-string-of-rule-200 and " + "must-not-contained-string-of-rule-200"; + const char *string_should_half_hit = "This string ONLY contains must-contained-string-of-rule-200"; + const char *string_nothing = "This string contain nothing"; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *url_table_name = "HTTP_URL_FILTER"; + const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; + struct maat *maat_inst = NOTLogic::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int url_table_id = maat_get_table_id(maat_inst, url_table_name); + ASSERT_GT(url_table_id, 0); + + int ret = maat_scan_string(maat_inst, url_table_id, string_should_not_hit, + strlen(string_should_not_hit), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + ret = maat_scan_string(maat_inst, url_table_id, string_should_half_hit, + strlen(string_should_half_hit), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + int http_table_id = maat_get_table_id(maat_inst, http_table_name); + ASSERT_GT(http_table_id, 0); + + ret = maat_scan_string(maat_inst, http_table_id, string_nothing, + strlen(string_nothing), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 216); + + maat_state_free(state); + state = NULL; +} + +TEST_F(NOTLogic, NotClauseAndExcludeGroup2) { + const char *string1 = "This string ONLY contains mail.string-of-rule-217.com"; + const char *string2= "This string ONLY contains www.string-of-rule-217.com"; + const char *string_keywords = "This string contain keywords-for-compile-217"; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + int thread_id = 0; + const char *url_table_name = "HTTP_URL_FILTER"; + const char *http_table_name = "HTTP_RESPONSE_KEYWORDS"; + struct maat *maat_inst = NOTLogic::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + int url_table_id = maat_get_table_id(maat_inst, url_table_name); + ASSERT_GT(url_table_id, 0); + + int http_table_id = maat_get_table_id(maat_inst, http_table_name); + ASSERT_GT(http_table_id, 0); + + int ret = maat_scan_string(maat_inst, http_table_id, string_keywords, strlen(string_keywords), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + ret = maat_scan_string(maat_inst, url_table_id, string1, strlen(string1), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + ret = maat_scan_string(maat_inst, url_table_id, string2, strlen(string2), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 217); + maat_state_free(state); state = NULL; } @@ -3008,7 +3260,8 @@ TEST_F(ExcludeLogic, ScanExcludeAtFirst) { TEST_F(ExcludeLogic, ScanExcludeAtLast) { const char *string_should_hit = "This string ONLY contains must-contained-string-of-rule-200."; - const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-200 and must-not-contained-string-of-rule-200."; + const char *string_should_not_hit = "This string contains both must-contained-string-of-rule-200" + " and must-not-contained-string-of-rule-200."; long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; int thread_id = 0; @@ -3019,17 +3272,18 @@ TEST_F(ExcludeLogic, ScanExcludeAtLast) { int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); - int ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), + int ret = maat_scan_string(maat_inst, table_id, string_should_not_hit, strlen(string_should_not_hit), results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + maat_state_reset(state); + ret = maat_scan_string(maat_inst, table_id, string_should_hit, strlen(string_should_hit), + results, ARRAY_SIZE, &n_hit_result, state); EXPECT_EQ(ret, MAAT_SCAN_HIT); EXPECT_EQ(n_hit_result, 1); EXPECT_EQ(results[0], 200); - maat_state_reset(state); - - ret = maat_scan_string(maat_inst, table_id, string_should_not_hit, strlen(string_should_not_hit), - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + maat_state_free(state); state = NULL; } @@ -5948,7 +6202,7 @@ TEST_F(MaatCmdTest, CompileEXData) { sleep(WAIT_FOR_EFFECTIVE_S * 5); EXPECT_EQ(param->id, 2222); sleep(2); - //excced gc_timeout_s(11s), the data pointed by param has been freed + //exceed gc_timeout_s(11s), the data pointed by param has been freed } TEST_F(MaatCmdTest, PluginEXData) { @@ -6030,7 +6284,7 @@ TEST_F(MaatCmdTest, PluginEXData) { EXPECT_EQ(uinfo1->id, 2); sleep(WAIT_FOR_EFFECTIVE_S * 2); - //excced gc_timeout_s, the data pointed by uinfo1 has been freed + //exceed gc_timeout_s, the data pointed by uinfo1 has been freed } TEST_F(MaatCmdTest, UpdateIPPlugin) { @@ -6124,7 +6378,7 @@ TEST_F(MaatCmdTest, UpdateIPPlugin) { EXPECT_EQ(results[1]->rule_id, 103); sleep(WAIT_FOR_EFFECTIVE_S * 2); - //excced gc_timeout_s, the data pointed by results[idx] has been freed + //exceed gc_timeout_s, the data pointed by results[idx] has been freed } TEST_F(MaatCmdTest, UpdateFQDNPlugin) { @@ -6204,7 +6458,7 @@ TEST_F(MaatCmdTest, UpdateFQDNPlugin) { EXPECT_EQ(results[0]->catid, 3); sleep(WAIT_FOR_EFFECTIVE_S * 2); - //excced gc_timeout_s, the data pointed by results[idx] has been freed + //exceed gc_timeout_s, the data pointed by results[idx] has been freed } TEST_F(MaatCmdTest, UpdateBoolPlugin) { @@ -6283,7 +6537,7 @@ TEST_F(MaatCmdTest, UpdateBoolPlugin) { EXPECT_EQ(results[0]->name_len, 8); sleep(WAIT_FOR_EFFECTIVE_S * 2); - //excced gc_timeout_s, the data pointed by results[idx] has been freed + //exceed gc_timeout_s, the data pointed by results[idx] has been freed } #define COMPILE_ID_NUMS 1000 @@ -6869,6 +7123,272 @@ that the edges be all directed in the same direction."; state = NULL; } +TEST_F(MaatCmdTest, HitPathHasNotGroup) { + const char *g2g_table_name = "GROUP2GROUP"; + const char *g2c_table_name = "GROUP2COMPILE"; + const char *compile_table_name = "COMPILE"; + const char *http_sig_table_name = "HTTP_SIGNATURE"; + const char *ip_table_name = "IP_CONFIG"; + const char *keywords_table_name = "KEYWORDS_TABLE"; + int thread_id = 0; + struct maat *maat_inst = MaatCmdTest::_shared_maat_inst; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + + /* compile1 */ + long long compile1_id = maat_cmd_incrby(maat_inst, "TEST_SEQ", 1); + int ret = compile_table_set_line(maat_inst, compile_table_name, MAAT_OP_ADD, compile1_id, + "null", 2, 0); + EXPECT_EQ(ret, 1); + + // !group1 -> compile1 + long long group1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group1_id, + compile1_id, 1, "HTTP_REQUEST_HEADER", 1, 0); + EXPECT_EQ(ret, 1); + + // !(item1 -> group1) -> compile1 + long long item1_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item1_id, group1_id, + "math_theory", "URL", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ + EXPECT_EQ(ret, 1); + + /* !(item1 -> group1) -> compile1 + / + group21_/ + */ + long long group21_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2compile_table_set_line(maat_inst, g2c_table_name, MAAT_OP_ADD, group21_id, + compile1_id, 0, "HTTP_RESPONSE_HEADER", 2, 0); + EXPECT_EQ(ret, 1); + + /* !(item1 -> group1) -> compile1 + / + group2 -> group21 _/ + */ + long long group2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group2_id, + group21_id, 0, 0); + EXPECT_EQ(ret, 1); + + /* !(item1 -> group1) -> compile1 + / + item2 -> group2 -> group21 _/ + */ + long long item2_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + ret = expr_table_set_line(maat_inst, http_sig_table_name, MAAT_OP_ADD, item2_id, group2_id, + "time=2020-02-12", "Cookie", 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ + EXPECT_EQ(ret, 1); + + /* + item1 -> group1 -> group11 + + !(item1 -> group1) -> compile1 + / + item2 -> group2 -> group21 _/ + */ + long long group11_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = group2group_table_set_line(maat_inst, g2g_table_name, MAAT_OP_ADD, group1_id, + group11_id, 0, 0); + EXPECT_EQ(ret, 1); + + //item3 -> group3, group3 is not referenced by any compile. + long long item3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + long long group3_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = ip_table_set_line(maat_inst, ip_table_name, MAAT_OP_ADD, item3_id, group3_id, + IPv4, "220.181.38.158", "220.181.38.159", 0, 65535, 0); + EXPECT_EQ(ret, 1); + + char temp[1024]={0}; + //item4 -> group4, group4 is not referenced by any compile. + long long item4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_REGION", 1); + long long group4_id = maat_cmd_incrby(maat_inst, "SEQUENCE_GROUP", 1); + ret = expr_table_set_line(maat_inst, keywords_table_name, MAAT_OP_ADD, item4_id, group4_id, + str_escape(temp, sizeof(temp), "a finite and infinite"), + NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ + EXPECT_EQ(ret, 1); + + sleep(WAIT_FOR_EFFECTIVE_S * 2); + + const char* http_url = "en.wikipedia.org/wiki/Path_(chemistry_theory)"; + const char* http_resp_hdr_cookie = "laptop=thinkpad X1 extrem;time=2020-02-12T15:34:00;" + "main[XWJOKE]=hoho; Hm_lvt_bbac0322e6ee13093f98d5c4b5a10912=1578874808;"; + + int http_req_table_id = maat_get_table_id(maat_inst, "HTTP_REQUEST_HEADER"); + ASSERT_GT(http_req_table_id, 0); + + ret = maat_state_set_scan_district(state, http_req_table_id, "URL", strlen("URL")); + EXPECT_EQ(ret, 0); + + int Nth_scan = 0; + + Nth_scan++; + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + ret = maat_scan_string(maat_inst, http_req_table_id, http_url, strlen(http_url), + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + + size_t scan_count = maat_state_get_scan_count(state); + EXPECT_EQ(scan_count, 1); + + struct maat_hit_path hit_path[128]; + memset(hit_path, 0, sizeof(hit_path)); + int n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); + EXPECT_EQ(n_read, 2); + + int path_idx = 0; + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, -1); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); + EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + path_idx++; + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, -1); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, -1); + EXPECT_EQ(hit_path[path_idx].vtable_id, http_req_table_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + int http_res_table_id = maat_get_table_id(maat_inst, "HTTP_RESPONSE_HEADER"); + ASSERT_GT(http_res_table_id, 0); + + ret = maat_state_set_scan_district(state, http_res_table_id, "Cookie", strlen("Cookie")); + EXPECT_EQ(ret, 0); + + Nth_scan++; + ret = maat_scan_string(maat_inst, http_res_table_id, http_resp_hdr_cookie, + strlen(http_resp_hdr_cookie), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], compile1_id); + + scan_count = maat_state_get_scan_count(state); + EXPECT_EQ(scan_count, 2); + + n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); + EXPECT_EQ(n_read, 4); + + path_idx = 0; + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); + EXPECT_EQ(hit_path[path_idx].item_id, -1); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, group11_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + path_idx++; + ASSERT_EQ(path_idx, 1); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan-1); + EXPECT_EQ(hit_path[path_idx].item_id, -1); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group1_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, group1_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 1); + EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); + + path_idx++; + ASSERT_EQ(path_idx, 2); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, item2_id); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, group21_id); + EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); + EXPECT_EQ(hit_path[path_idx].compile_id, compile1_id); + + path_idx++; + ASSERT_EQ(path_idx, 3); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, item2_id); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group2_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, -1); + EXPECT_EQ(hit_path[path_idx].vtable_id, http_res_table_id); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + const char *keywords1 = "In math theory, a finite and infinite come up all the time."; + const char *keywords2= "a finite and infinite come up again."; + + int keywords_table_id = maat_get_table_id(maat_inst, keywords_table_name); + ASSERT_GT(keywords_table_id, 0); + + struct maat_stream *stream = maat_stream_new(maat_inst, keywords_table_id, state); + Nth_scan++; + ret = maat_stream_scan(stream, keywords1, strlen(keywords1), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + scan_count = maat_state_get_scan_count(state); + EXPECT_EQ(scan_count, 3); + + n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); + EXPECT_EQ(n_read, 5); + + path_idx++; + ASSERT_EQ(path_idx, 4); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, item4_id); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, -1); + EXPECT_EQ(hit_path[path_idx].vtable_id, 0); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + int ip_table_id = maat_get_table_id(maat_inst, ip_table_name); + ASSERT_GT(ip_table_id, 0); + + Nth_scan++; + uint32_t ip_addr; + inet_pton(AF_INET, "220.181.38.158", &ip_addr); + uint16_t port = htons(17272); + ret = maat_scan_ipv4(maat_inst, ip_table_id, ip_addr, port, 6, results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + scan_count = maat_state_get_scan_count(state); + EXPECT_EQ(scan_count, 4); + + n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); + EXPECT_EQ(n_read, 6); + + path_idx++; + ASSERT_EQ(path_idx, 5); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, item3_id); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group3_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, -1); + EXPECT_EQ(hit_path[path_idx].vtable_id, 0); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + Nth_scan++; + ret = maat_stream_scan(stream, keywords2, strlen(keywords2), results, ARRAY_SIZE, + &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HALF_HIT); + scan_count = maat_state_get_scan_count(state); + EXPECT_EQ(scan_count, 5); + + n_read = maat_state_get_hit_paths(state, hit_path, sizeof(hit_path)); + EXPECT_EQ(n_read, 7); + + path_idx++; + ASSERT_EQ(path_idx, 6); + EXPECT_EQ(hit_path[path_idx].Nth_scan, Nth_scan); + EXPECT_EQ(hit_path[path_idx].item_id, item4_id); + EXPECT_EQ(hit_path[path_idx].sub_group_id, group4_id); + EXPECT_EQ(hit_path[path_idx].top_group_id, -1); + EXPECT_EQ(hit_path[path_idx].vtable_id, 0); + EXPECT_EQ(hit_path[path_idx].NOT_flag, 0); + EXPECT_EQ(hit_path[path_idx].compile_id, -1); + + maat_stream_free(stream); + maat_state_free(state); + state = NULL; +} + TEST_F(MaatCmdTest, SameSuperGroupRefByMultiCompile) { char temp[1024]={0}; int thread_id = 0; diff --git a/test/maat_framework_perf_gtest.cpp b/test/maat_framework_perf_gtest.cpp index 1f636e3..fa95d02 100644 --- a/test/maat_framework_perf_gtest.cpp +++ b/test/maat_framework_perf_gtest.cpp @@ -403,7 +403,7 @@ protected: maat_options_free(opts); if (NULL == _shared_maat_inst) { log_error(logger, MODULE_FRAMEWORK_PERF_GTEST, - "[%s:%d] create maat instance in MaatFlagScan failed.", + "[%s:%d] create maat instance in MaatStringScan failed.", __FUNCTION__, __LINE__); } } @@ -425,7 +425,6 @@ void *perf_string_scan_thread(void *arg) struct thread_param *param = (struct thread_param *)arg; struct maat *maat_inst = param->maat_inst; const char *table_name = param->table_name; - struct timespec start, end; const char *scan_data = "today and yesterday should hit"; long long results[ARRAY_SIZE] = {0}; int hit_times = 0; @@ -435,6 +434,7 @@ void *perf_string_scan_thread(void *arg) int table_id = maat_get_table_id(maat_inst, table_name); maat_register_thread(maat_inst); + struct timespec start, end; clock_gettime(CLOCK_MONOTONIC, &start); for (int i = 0; i < param->test_count; i++) { int ret = maat_scan_string(maat_inst, table_id, scan_data, strlen(scan_data), @@ -446,7 +446,8 @@ void *perf_string_scan_thread(void *arg) } clock_gettime(CLOCK_MONOTONIC, &end); - param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + (end.tv_nsec - start.tv_nsec) / 1000000; + param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + + (end.tv_nsec - start.tv_nsec) / 1000000; int *is_all_hit = ALLOC(int, 1); *is_all_hit = (hit_times == param->test_count ? 1 : 0); log_info(param->logger, MODULE_FRAMEWORK_PERF_GTEST, @@ -669,7 +670,6 @@ TEST_F(MaatPerfRegexScan, RegexMultiThread) { PERF_THREAD_NUM, scan_per_second); } - void *perf_integer_scan_thread(void *arg) { struct thread_param *param = (struct thread_param *)arg; @@ -752,7 +752,7 @@ protected: maat_options_free(opts); if (NULL == _shared_maat_inst) { log_error(logger, MODULE_FRAMEWORK_PERF_GTEST, - "[%s:%d] create maat instance in MaatFlagScan failed.", + "[%s:%d] create maat instance in MaatStreamScan failed.", __FUNCTION__, __LINE__); } } @@ -775,7 +775,7 @@ void *perf_stream_scan_thread(void *arg) struct maat *maat_inst = param->maat_inst; const char *table_name = param->table_name; struct timespec start, end; - const char *scan_data = "http://www.cyberessays.com/search_results.php?today and yesterday"; + const char *scan_data = "http://www.cyberessays.com/search_results.php?action=search&query=username,abckkk,1234567"; long long results[ARRAY_SIZE] = {0}; int ret = 0, hit_times = 0; size_t n_hit_result = 0; @@ -809,7 +809,7 @@ void *perf_stream_scan_thread(void *arg) } TEST_F(MaatPerfStreamScan, MultiThread) { - const char *table_name = "EXPR_LITERAL_PERF_CONFIG"; + const char *table_name = "HTTP_URL"; struct maat *maat_inst = MaatPerfStreamScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); @@ -880,7 +880,7 @@ protected: maat_options_free(opts); if (NULL == _shared_maat_inst) { log_error(logger, MODULE_FRAMEWORK_PERF_GTEST, - "[%s:%d] create maat instance in MaatFlagScan failed.", + "[%s:%d] create maat instance in MaatIPScan failed.", __FUNCTION__, __LINE__); } } @@ -928,7 +928,8 @@ void *perf_ip_scan_thread(void *arg) } clock_gettime(CLOCK_MONOTONIC, &end); - param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + (end.tv_nsec - start.tv_nsec) / 1000000; + param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + + (end.tv_nsec - start.tv_nsec) / 1000000; int *is_all_hit = ALLOC(int, 1); *is_all_hit = (hit_times == param->test_count ? 1 : 0); log_info(param->logger, MODULE_FRAMEWORK_PERF_GTEST, @@ -1044,7 +1045,7 @@ protected: maat_options_free(opts); if (NULL == _shared_maat_inst) { log_error(logger, MODULE_FRAMEWORK_PERF_GTEST, - "[%s:%d] create maat instance in MaatFlagScan failed.", + "[%s:%d] create maat instance in MaatIntegerScan failed.", __FUNCTION__, __LINE__); } } @@ -1062,7 +1063,7 @@ struct maat *MaatPerfIntegerScan::_shared_maat_inst; struct log_handle *MaatPerfIntegerScan::logger; TEST_F(MaatPerfIntegerScan, MultiThread) { - const char *table_name = "INTEGER_PERF_CONFIG"; + const char *table_name = "CONTENT_SIZE"; struct maat *maat_inst = MaatPerfIntegerScan::_shared_maat_inst; int table_id = maat_get_table_id(maat_inst, table_name); @@ -1283,7 +1284,7 @@ protected: maat_options_free(opts); if (NULL == _shared_maat_inst) { log_error(logger, MODULE_FRAMEWORK_PERF_GTEST, - "[%s:%d] create maat instance in MaatFlagScan failed.", + "[%s:%d] create maat instance in MaatFQDNPluginScan failed.", __FUNCTION__, __LINE__); } } @@ -1365,7 +1366,8 @@ void* perf_fqdn_plugin_scan_thread(void *arg) } clock_gettime(CLOCK_MONOTONIC, &end); - param->time_elapse_ms = (end.tv_sec-start.tv_sec)*1000 + (end.tv_nsec-start.tv_nsec)/1000000; + param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + + (end.tv_nsec - start.tv_nsec) / 1000000; int* is_all_hit = (int*)malloc(sizeof(int)); *is_all_hit = (hit_times == param->test_count) ? 1 : 0; log_info(param->logger, MODULE_FRAMEWORK_PERF_GTEST, @@ -1593,7 +1595,8 @@ void* perf_bool_plugin_scan_thread(void *arg) } clock_gettime(CLOCK_MONOTONIC, &end); - param->time_elapse_ms = (end.tv_sec-start.tv_sec)*1000 + (end.tv_nsec-start.tv_nsec)/1000000; + param->time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + + (end.tv_nsec - start.tv_nsec) / 1000000; int* is_all_hit = (int*)malloc(sizeof(int)); *is_all_hit = (hit_times == param->test_count) ? 1 : 0; @@ -1782,7 +1785,8 @@ static void *ip_plugin_get_thread(void *arg) } clock_gettime(CLOCK_MONOTONIC, &end); - long long time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + (end.tv_nsec - start.tv_nsec) / 1000000; + long long time_elapse_ms = (end.tv_sec - start.tv_sec) * 1000 + + (end.tv_nsec - start.tv_nsec) / 1000000; log_info(maat_inst->logger, MODULE_FRAMEWORK_PERF_GTEST, "ip_plugin_get_ex_data time_elapse:%lldms hit_times:%d", time_elapse_ms, hit_times); diff --git a/test/maat_json.json b/test/maat_json.json index 81fadff..ebdfba9 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -683,6 +683,7 @@ "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 0, "regions": [ { @@ -698,6 +699,7 @@ ] }, { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 1, "regions": [ { @@ -724,6 +726,7 @@ "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 0, "regions": [ { @@ -739,6 +742,7 @@ ] }, { + "virtual_table": "HTTP_RESPONSE_KEYWORDS", "not_flag": 1, "regions": [ { @@ -780,6 +784,7 @@ ] }, { + "virtual_table": "VIRTUAL_IP_CONFIG", "not_flag": 1, "group_name": "123_IP_group" } @@ -791,22 +796,48 @@ "action": 1, "do_blacklist": 1, "do_log": 1, - "user_region": "StringScan.Regex", + "user_region": "NOTLogic.ScanMultiNotClause", "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", + "not_flag": 0, + "clause_index": 0, "regions": [ { "table_name": "HTTP_URL", "table_type": "expr", "table_content": { - "keywords": "Cookie:\\s.*head", - "expr_type": "regex", + "keywords": "must-contained-string-of-rule-146", + "expr_type": "none", "match_method": "sub", "format": "uncase plain" } } ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS", + "not_flag": 1, + "clause_index": 1, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "must-contained-not-string-of-rule-146", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "VIRTUAL_IP_CONFIG", + "not_flag": 1, + "clause_index": 2, + "group_name": "123_IP_group" } ] }, @@ -816,47 +847,141 @@ "action": 1, "do_blacklist": 1, "do_log": 1, - "user_region": "StringScan.UTF8EncodedURL", + "user_region": "NOTLogic.8NotClause", "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_1", + "not_flag": 1, + "clause_index": 0, "regions": [ { - "table_name": "HTTP_URL", + "table_name": "KEYWORDS_TABLE", "table_type": "expr", "table_content": { - "keywords": "googlevideo.com/videoplayback&mn=sn-35153iuxa-5a56%2Csn-n8v7znz7", - "expr_type": "and", + "keywords": "clause0-in-compile-147", + "expr_type": "none", "match_method": "sub", "format": "uncase plain" } } ] - } - ] - }, - { - "compile_id": 148, - "service": 0, - "action": 0, - "do_blacklist": 0, - "do_log": 0, - "user_region": "StringScan.ExprPlusWithOffset", - "effective_rage": 0, - "is_valid": "yes", - "groups": [ + }, { - "group_name": "Untitled", + "virtual_table": "HTTP_RESPONSE_KEYWORDS_2", + "not_flag": 1, + "clause_index": 1, "regions": [ { - "table_name": "APP_PAYLOAD", - "table_type": "expr_plus", + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", "table_content": { - "format": "hexbin", + "keywords": "clause1-in-compile-147", + "expr_type": "none", "match_method": "sub", - "district": "Payload", - "keywords": "1-1:03&9-10:2d&14-16:2d34&19-21:2d&24-25:2d", - "expr_type": "offset" + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_3", + "not_flag": 1, + "clause_index": 2, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause2-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_4", + "not_flag": 1, + "clause_index": 3, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause3-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_5", + "not_flag": 1, + "clause_index": 4, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause4-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_6", + "not_flag": 1, + "clause_index": 5, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause5-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_7", + "not_flag": 1, + "clause_index": 6, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause6-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS_8", + "not_flag": 1, + "clause_index": 7, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "clause7-in-compile-147", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" } } ] @@ -864,7 +989,7 @@ ] }, { - "compile_id": 149, + "compile_id": 148, "service": 1, "action": 1, "do_blacklist": 1, @@ -875,10 +1000,10 @@ { "regions": [ { - "table_name": "CORNER_CASE_TABLE", + "table_name": "HTTP_URL", "table_type": "expr", "table_content": { - "keywords": "^((?!.*\\binstagram\\b)).*\\.fbcdn\\.net$", + "keywords": "Cookie:\\s.*head", "expr_type": "regex", "match_method": "sub", "format": "uncase plain" @@ -889,12 +1014,38 @@ ] }, { + "compile_id": 149, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "StringScan.ExprPlusWithOffset", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "APP_PAYLOAD", + "table_type": "expr_plus", + "table_content": { + "format": "hexbin", + "match_method": "sub", + "district": "Payload", + "keywords": "1-1:03&9-10:2d&14-16:2d34&19-21:2d&24-25:2d", + "expr_type": "offset" + } + } + ] + } + ] + }, + { "compile_id": 150, "service": 0, "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.BugReport20190325", "is_valid": "yes", "groups": [ @@ -936,7 +1087,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.PrefixAndSuffix", "is_valid": "yes", "groups": [ @@ -963,7 +1113,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.PrefixAndSuffix", "is_valid": "yes", "groups": [ @@ -1008,7 +1157,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "Policy.SubGroup", "is_valid": "yes", "groups": [ @@ -1049,7 +1197,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_plus", "is_valid": "yes", "groups": [ @@ -1080,7 +1227,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv6_plus", "is_valid": "yes", "groups": [ @@ -1138,7 +1284,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.StreamScanUTF8", "is_valid": "yes", "groups": [ @@ -1164,7 +1309,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_CIDR", "is_valid": "yes", "groups": [ @@ -1195,7 +1339,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv6_CIDR", "is_valid": "yes", "groups": [ @@ -1226,7 +1369,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "VirtualWithOnePhysical", "is_valid": "yes", "groups": [ @@ -1258,7 +1400,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "virtual_table_test_temp", "is_valid": "yes", "groups": [ @@ -1315,7 +1456,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "VirtualWithVirtual", "is_valid": "yes", "groups": [ @@ -1337,7 +1477,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "OneGroupInTwoVirtual", "is_valid": "yes", "groups": [ @@ -1512,7 +1651,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_Any", "is_valid": "yes", "groups": [ @@ -1543,7 +1681,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_virtual.source", "is_valid": "no", "groups": [ @@ -1575,7 +1712,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_virtual.destination", "is_valid": "no", "groups": [ @@ -1607,7 +1743,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_virtual.match", "is_valid": "yes", "groups": [ @@ -1629,7 +1764,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_composition.source", "is_valid": "no", "groups": [ @@ -1661,7 +1795,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_composition.destination", "is_valid": "no", "groups": [ @@ -1693,7 +1826,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_composition.match", "is_valid": "yes", "groups": [ @@ -1715,7 +1847,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "IPScan.IPv4_composition.session", "is_valid": "no", "groups": [ @@ -1747,7 +1878,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_composition.session.match", "is_valid": "yes", "groups": [ @@ -1825,7 +1955,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "Hierarchy_VirtualWithTwoPhysical", "is_valid": "yes", "groups": [ @@ -1849,7 +1978,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_composition.match", "is_valid": "yes", "groups": [ @@ -1948,7 +2076,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv4_composition.NOT_match", "is_valid": "yes", "groups": [ @@ -1974,6 +2101,7 @@ "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 1, "regions": [ { @@ -1989,6 +2117,7 @@ ] }, { + "not_flag": 0, "regions": [ { "table_type": "ip_plus", @@ -2004,8 +2133,7 @@ "protocol": 6 } } - ], - "not_flag": 0 + ] } ] }, @@ -2019,6 +2147,7 @@ "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 1, "regions": [ { @@ -2034,6 +2163,7 @@ ] }, { + "not_flag": 0, "regions": [ { "table_type": "ip_plus", @@ -2049,8 +2179,7 @@ "protocol": 6 } } - ], - "not_flag": 0 + ] } ] }, @@ -2064,6 +2193,7 @@ "is_valid": "yes", "groups": [ { + "virtual_table": "HTTP_URL_FILTER", "not_flag": 1, "regions": [ { @@ -2079,6 +2209,7 @@ ] }, { + "not_flag": 0, "regions": [ { "table_type": "ip_plus", @@ -2094,17 +2225,15 @@ "protocol": 6 } } - ], - "not_flag": 0 + ] } ] }, { + "compile_id": 189, "is_valid": "yes", "do_log": 0, - "effective_rage": 0, "action": 0, - "compile_id": 189, "service": 0, "do_blacklist": 0, "user_region": "StringScan.ShouldNotHitExprPlus", @@ -2160,7 +2289,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.HexBinCaseSensitive", "is_valid": "yes", "groups": [ @@ -2816,7 +2944,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "StringScan.RegexExpressionIllegal", "is_valid": "yes", "groups": [ @@ -2843,7 +2970,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "duplicateRuleFor191", "is_valid": "yes", "groups": [ @@ -2893,7 +3019,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "duplicateRuleFor154", "is_valid": "yes", "groups": [ @@ -2949,7 +3074,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ipv6_::", "is_valid": "yes", "groups": [ @@ -2980,7 +3104,6 @@ "action": 0, "do_blacklist": 0, "do_log": 0, - "effective_rage": 0, "user_region": "ip_perf_test", "is_valid": "yes", "groups": [ @@ -3101,7 +3224,355 @@ ] } ] - } + }, + { + "compile_id": 216, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "NOTClause&ExcludeGroup", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "HTTP_URL_FILTER", + "group_name": "ExcludeLogicGroup200", + "not_flag": 0, + "clause_index": 0 + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS", + "group_name": "NOTClauseAndExcludeGroup211", + "not_flag": 1, + "clause_index": 1, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-for-compile-211", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 217, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "user_region": "NOTClause&ExcludeGroup", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "HTTP_URL_FILTER", + "group_name": "NOTClauseAndExcludeGroup217_1", + "not_flag": 1, + "clause_index": 0, + "sub_groups": [ + { + "group_name": "ExcludeLogicGroup217_1_1", + "is_exclude": 0, + "regions": [ + { + "table_name": "HTTP_URL", + "table_type": "expr", + "table_content": { + "keywords": "string-of-rule-217.com", + "expr_type": "none", + "match_method": "suffix", + "format": "uncase plain" + } + } + ] + }, + { + "group_name": "ExcludeLogicGroup217_1_2", + "is_exclude": 1, + "regions": [ + { + "table_name": "HTTP_URL", + "table_type": "expr", + "table_content": { + "keywords": "www.string-of-rule-217.com", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "virtual_table": "HTTP_RESPONSE_KEYWORDS", + "group_name": "NOTClauseAndExcludeGroup217_2", + "not_flag": 0, + "clause_index": 1, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-for-compile-217", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 218, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "CONTENT_SIZE", + "table_type": "interval", + "table_content": { + "low_boundary": 3000, + "up_boundary": 3000 + } + } + ] + } + ] + }, + { + "compile_id": 219, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_1", + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-1", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_2", + "not_flag": 1, + "clause_index": 1, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-2", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_3", + "not_flag": 1, + "clause_index": 2, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-3", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_4", + "not_flag": 1, + "clause_index": 3, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-4", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_5", + "not_flag": 1, + "clause_index": 4, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-5", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_6", + "not_flag": 1, + "clause_index": 5, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-6", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_7", + "not_flag": 1, + "clause_index": 6, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-7", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup219_8", + "not_flag": 1, + "clause_index": 7, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-219-8", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 220, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup220_1", + "not_flag": 0, + "clause_index": 0, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-220-1", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup220_2", + "not_flag": 1, + "clause_index": 1, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-220-2", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table": "HTTP_DUMMY", + "group_name": "NOTClauseAndExcludeGroup220_3", + "not_flag": 1, + "clause_index": 2, + "regions": [ + { + "table_name": "KEYWORDS_TABLE", + "table_type": "expr", + "table_content": { + "keywords": "keywords-dummy-220-3", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + } ], "plugin_table": [ { diff --git a/test/table_info.conf b/test/table_info.conf index 2845d09..e2f82fa 100644 --- a/test/table_info.conf +++ b/test/table_info.conf @@ -578,5 +578,65 @@ "port1":4, "port2":5 } + }, + { + "table_id":48, + "table_name":"VIRTUAL_IP_CONFIG", + "table_type":"virtual", + "physical_table": "IP_CONFIG" + }, + { + "table_id":49, + "table_name":"HTTP_RESPONSE_KEYWORDS_1", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":50, + "table_name":"HTTP_RESPONSE_KEYWORDS_2", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":51, + "table_name":"HTTP_RESPONSE_KEYWORDS_3", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":52, + "table_name":"HTTP_RESPONSE_KEYWORDS_4", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":53, + "table_name":"HTTP_RESPONSE_KEYWORDS_5", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":54, + "table_name":"HTTP_RESPONSE_KEYWORDS_6", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":55, + "table_name":"HTTP_RESPONSE_KEYWORDS_7", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":56, + "table_name":"HTTP_RESPONSE_KEYWORDS_8", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" + }, + { + "table_id":57, + "table_name":"HTTP_DUMMY", + "table_type":"virtual", + "physical_table": "KEYWORDS_TABLE" } ]
\ No newline at end of file |