diff options
| author | Cyrille Bagard <nocbos@gmail.com> | 2023-08-18 00:07:39 (GMT) |
|---|---|---|
| committer | Cyrille Bagard <nocbos@gmail.com> | 2023-08-18 00:07:39 (GMT) |
| commit | 2424c52c4f3bc44ce5f36348442cfa103e0989c2 (patch) | |
| tree | f68aea488f403b234d4fcc6fd6e0f7b88a628ac8 /src/analysis/scan/rule.c | |
| parent | 1c5a0e67186def152536d9c506e2e6c3a3a265c5 (diff) | |
Create some modifiers and handle match properties inside ROST.
Diffstat (limited to 'src/analysis/scan/rule.c')
| -rw-r--r-- | src/analysis/scan/rule.c | 194 |
1 files changed, 177 insertions, 17 deletions
diff --git a/src/analysis/scan/rule.c b/src/analysis/scan/rule.c index 6ca97ab..4727c9d 100644 --- a/src/analysis/scan/rule.c +++ b/src/analysis/scan/rule.c @@ -93,9 +93,9 @@ static void g_scan_rule_init(GScanRule *rule) rule->name = NULL; rule->name_hash = 0; - rule->data_locals = NULL; - rule->data_allocated = 0; - rule->data_used = 0; + rule->bytes_locals = NULL; + rule->bytes_allocated = 0; + rule->bytes_used = 0; rule->condition = NULL; @@ -118,8 +118,8 @@ static void g_scan_rule_dispose(GScanRule *rule) { size_t i; /* Boucle de parcours */ - for (i = 0; i < rule->data_used; i++) - g_clear_object(&rule->data_locals[i]); + for (i = 0; i < rule->bytes_used; i++) + g_clear_object(&rule->bytes_locals[i]); g_clear_object(&rule->condition); @@ -219,13 +219,13 @@ void g_scan_rule_add_local_variable(GScanRule *rule, GSearchPattern *pattern) { if (G_IS_STRING_TOKEN(pattern)) { - if (rule->data_used == rule->data_allocated) + if (rule->bytes_used == rule->bytes_allocated) { - rule->data_allocated += PATTERN_ALLOC_SIZE; - rule->data_locals = realloc(rule->data_locals, rule->data_allocated * sizeof(GSearchPattern *)); + rule->bytes_allocated += PATTERN_ALLOC_SIZE; + rule->bytes_locals = realloc(rule->bytes_locals, rule->bytes_allocated * sizeof(GSearchPattern *)); } - rule->data_locals[rule->data_used++] = pattern; + rule->bytes_locals[rule->bytes_used++] = pattern; g_object_ref(G_OBJECT(pattern)); } @@ -254,13 +254,13 @@ GSearchPattern *g_scan_rule_get_local_variable(GScanRule *rule, const char *targ result = NULL; - for (i = 0; i < rule->data_used; i++) + for (i = 0; i < rule->bytes_used; i++) { - name = g_search_pattern_get_name(rule->data_locals[i]); + name = g_search_pattern_get_name(rule->bytes_locals[i]); if (strcmp(name, target) == 0) { - result = rule->data_locals[i]; + result = rule->bytes_locals[i]; break; } @@ -327,9 +327,9 @@ bool g_scan_rule_setup_backend(GScanRule *rule, GEngineBackend *backend, GScanCo maxsize = g_engine_backend_get_atom_max_size(backend); - for (i = 0; i < rule->data_used && result; i++) + for (i = 0; i < rule->bytes_used && result; i++) { - pattern = rule->data_locals[i]; + pattern = rule->bytes_locals[i]; result = g_string_token_enroll(G_STRING_TOKEN(pattern), context, backend, maxsize); } @@ -380,11 +380,11 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c /* Consolidation des résultats */ - for (i = 0; i < rule->data_used; i++) + for (i = 0; i < rule->bytes_used; i++) { init_pending_matches(&matches); - pattern = rule->data_locals[i]; + pattern = rule->bytes_locals[i]; g_string_token_check(G_STRING_TOKEN(pattern), context, content, &matches); @@ -392,7 +392,9 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c { area = &matches.areas[k]; - match = g_bytes_match_new(G_SEARCH_PATTERN(pattern), content, area->start, area->length); + match = g_scan_bytes_match_new(G_SEARCH_PATTERN(pattern), content, + area->start, area->end - area->start); + g_scan_context_register_full_match(context, match); g_object_unref(G_OBJECT(match)); @@ -407,3 +409,161 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c g_object_unref(G_OBJECT(content)); } + + +/****************************************************************************** +* * +* Paramètres : rule = règle de détection à considérer. * +* context = contexte de l'analyse à mener. * +* fd = canal d'écriture. * +* * +* Description : Affiche une règle au format texte. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void g_scan_rule_output_to_text(const GScanRule *rule, GScanContext *context, int fd) +{ + size_t i; /* Boucle de parcours */ + + for (i = 0; i < rule->bytes_used; i++) + g_search_pattern_output_to_text(rule->bytes_locals[i], context, fd); + + if (g_scan_context_has_match_for_rule(context, rule->name)) + { + write(fd, "Rule '", 6); + write(fd, rule->name, strlen(rule->name)); + write(fd, "' has matched!\n", 15); + } + +} + + +/****************************************************************************** +* * +* Paramètres : rule = règle de détection à considérer. * +* context = contexte de l'analyse à mener. * +* * +* Description : Convertit une règle en texte. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void g_scan_rule_convert_as_text(const GScanRule *rule, GScanContext *context) +{ + /* TODO */ + +} + + +/****************************************************************************** +* * +* Paramètres : rule = règle de détection à considérer. * +* context = contexte de l'analyse à mener. * +* padding = éventuel bourrage initial à placer ou NULL. * +* level = profondeur actuelle. * +* fd = canal d'écriture. * +* trailing = impose une virgule finale ? * +* * +* Description : Affiche une règle au format JSON. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void g_scan_rule_output_to_json(const GScanRule *rule, GScanContext *context, const sized_string_t *padding, unsigned int level, int fd, bool trailing) +{ + size_t i; /* Boucle de parcours */ + bool sub_trailing; /* Virgule finale */ + + /* Introduction */ + + for (i = 0; i < level; i++) + write(fd, padding->data, padding->len); + + write(fd, "{\n", 2); + + /* Désignation de la règle */ + + for (i = 0; i < (level + 1); i++) + write(fd, padding->data, padding->len); + + write(fd, "\"name\": \"", 9); + + write(fd, rule->name, strlen(rule->name)); + + write(fd, "\",\n", 3); + + /* Affichage des correspondances d'octets */ + + for (i = 0; i < (level + 1); i++) + write(fd, padding->data, padding->len); + + write(fd, "\"bytes_patterns\": [\n", 20); + + for (i = 0; i < rule->bytes_used; i++) + { + sub_trailing = ((i + 1) < rule->bytes_used); + + g_search_pattern_output_to_json(rule->bytes_locals[i], context, padding, level + 2, fd, sub_trailing); + + } + + for (i = 0; i < (level + 1); i++) + write(fd, padding->data, padding->len); + + write(fd, "],\n", 3); + + /* Bilan du filtrage */ + + for (i = 0; i < (level + 1); i++) + write(fd, padding->data, padding->len); + + write(fd, "\"matched\": ", 11); + + if (g_scan_context_has_match_for_rule(context, rule->name)) + write(fd, "true", 4); + else + write(fd, "false", 5); + + write(fd, "\n", 1); + + /* Conclusion */ + + for (i = 0; i < level; i++) + write(fd, padding->data, padding->len); + + if (trailing) + write(fd, "},\n", 3); + else + write(fd, "}\n", 2); + +} + + +/****************************************************************************** +* * +* Paramètres : rule = règle de détection à considérer. * +* context = contexte de l'analyse à mener. * +* * +* Description : Convertit une règle en JSON. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void g_scan_rule_convert_as_json(const GScanRule *rule, GScanContext *context) +{ + /* TODO */ + +} |