3 files changed, 53 insertions, 2 deletions

diff --git a/src/entry/Maat_rule.cpp b/src/entry/Maat_rule.cpp
index fd568a9..19b70ed 100644
--- a/src/entry/Maat_rule.cpp
+++ b/src/entry/Maat_rule.cpp
@@ -1627,7 +1627,7 @@ void update_expr_rule(struct Maat_table_schema* table,const char* table_line,str
 			break;
 		case	1:
 			maat_str_rule->is_hexbin=TRUE;
-			maat_str_rule->is_case_sensitive=FALSE;
+			maat_str_rule->is_case_sensitive=TRUE;
 			break;
 		case	2:
 			maat_str_rule->is_hexbin=FALSE;
diff --git a/test/maat_json.json b/test/maat_json.json
index 43bc420..be4c1ee 100644
--- a/test/maat_json.json
+++ b/test/maat_json.json
@@ -2317,6 +2317,33 @@
                     ]
                 }
             ]
+        },
+        {
+            "compile_id": 191,
+            "service": 0,
+            "action": 0,
+            "do_blacklist": 0,
+            "do_log": 0,
+            "effective_rage": 0,
+            "user_region": "StringScan.HexBinCaseSensitive",
+            "is_valid": "yes",
+            "groups": [
+                {
+                    "regions": [
+                        {
+                            "table_type": "expr",
+                            "table_name": "KEYWORDS_TABLE",
+                            "table_content": {
+                                "keywords": "54455354",
+                                "expr_type": "none",
+                                "format": "hexbin",
+                                "match_method": "sub"
+                            }
+                        }
+                    ],
+                    "group_name": "Untitled"
+                }
+            ]
         }
     ],
     "plugin_table": [
diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp
index 6c49e72..ac9ea29 100644
--- a/test/test_maatframe.cpp
+++ b/test/test_maatframe.cpp
@@ -831,7 +831,6 @@ TEST(StringScan,   CharsetWindows1251)
 	int read_size=0,pass_flag=0;
 	struct Maat_rule_t result[4];
 	scan_status_t mid=NULL;
-	//const char* fn="./testdata/mesa_logo.jpg";
 	const char* table_name="KEYWORDS_TABLE";
 	const char* fn="./testdata/charsetWindows1251.txt";
 	FILE* fp=fopen(fn,"r");
@@ -870,6 +869,31 @@ TEST(StringScan,   CharsetWindows1251)
 	return;
 
 }
+TEST(StringScan,  HexBinCaseSensitive)
+{
+	int ret=0;
+	int table_id=0;
+	struct Maat_rule_t result[4];
+	int found_pos[4];
+	scan_status_t mid=NULL;
+	const char* table_name="KEYWORDS_TABLE";
+	const char* scan_data="String TeST should not hit.";
+	const char* scan_data2="String TEST should hit";
+
+	table_id=Maat_table_register(g_feather, table_name);
+	ASSERT_GT(table_id, 0);
+	ret=Maat_full_scan_string(g_feather, table_id, CHARSET_GBK, scan_data, strlen(scan_data), 
+						result, found_pos, 4, &mid, 0);
+	EXPECT_EQ(ret, 0);
+	Maat_clean_status(&mid);
+	
+	ret=Maat_full_scan_string(g_feather, table_id,CHARSET_GBK, scan_data2, strlen(scan_data2), 
+						result, found_pos, 4, &mid, 0);
+	EXPECT_EQ(ret, 1);
+	EXPECT_EQ(result[0].config_id, 191);
+	Maat_clean_status(&mid);
+
+}
 
 #define	TEST_IPSCAN
 TEST(IPScan, IPv4_mask)