summaryrefslogtreecommitdiff
path: root/src/analysis/scan/rule.c
diff options
context:
space:
mode:
authorCyrille Bagard <nocbos@gmail.com>2023-08-18 00:07:39 (GMT)
committerCyrille Bagard <nocbos@gmail.com>2023-08-18 00:07:39 (GMT)
commit2424c52c4f3bc44ce5f36348442cfa103e0989c2 (patch)
treef68aea488f403b234d4fcc6fd6e0f7b88a628ac8 /src/analysis/scan/rule.c
parent1c5a0e67186def152536d9c506e2e6c3a3a265c5 (diff)
Create some modifiers and handle match properties inside ROST.
Diffstat (limited to 'src/analysis/scan/rule.c')
-rw-r--r--src/analysis/scan/rule.c194
1 files changed, 177 insertions, 17 deletions
diff --git a/src/analysis/scan/rule.c b/src/analysis/scan/rule.c
index 6ca97ab..4727c9d 100644
--- a/src/analysis/scan/rule.c
+++ b/src/analysis/scan/rule.c
@@ -93,9 +93,9 @@ static void g_scan_rule_init(GScanRule *rule)
rule->name = NULL;
rule->name_hash = 0;
- rule->data_locals = NULL;
- rule->data_allocated = 0;
- rule->data_used = 0;
+ rule->bytes_locals = NULL;
+ rule->bytes_allocated = 0;
+ rule->bytes_used = 0;
rule->condition = NULL;
@@ -118,8 +118,8 @@ static void g_scan_rule_dispose(GScanRule *rule)
{
size_t i; /* Boucle de parcours */
- for (i = 0; i < rule->data_used; i++)
- g_clear_object(&rule->data_locals[i]);
+ for (i = 0; i < rule->bytes_used; i++)
+ g_clear_object(&rule->bytes_locals[i]);
g_clear_object(&rule->condition);
@@ -219,13 +219,13 @@ void g_scan_rule_add_local_variable(GScanRule *rule, GSearchPattern *pattern)
{
if (G_IS_STRING_TOKEN(pattern))
{
- if (rule->data_used == rule->data_allocated)
+ if (rule->bytes_used == rule->bytes_allocated)
{
- rule->data_allocated += PATTERN_ALLOC_SIZE;
- rule->data_locals = realloc(rule->data_locals, rule->data_allocated * sizeof(GSearchPattern *));
+ rule->bytes_allocated += PATTERN_ALLOC_SIZE;
+ rule->bytes_locals = realloc(rule->bytes_locals, rule->bytes_allocated * sizeof(GSearchPattern *));
}
- rule->data_locals[rule->data_used++] = pattern;
+ rule->bytes_locals[rule->bytes_used++] = pattern;
g_object_ref(G_OBJECT(pattern));
}
@@ -254,13 +254,13 @@ GSearchPattern *g_scan_rule_get_local_variable(GScanRule *rule, const char *targ
result = NULL;
- for (i = 0; i < rule->data_used; i++)
+ for (i = 0; i < rule->bytes_used; i++)
{
- name = g_search_pattern_get_name(rule->data_locals[i]);
+ name = g_search_pattern_get_name(rule->bytes_locals[i]);
if (strcmp(name, target) == 0)
{
- result = rule->data_locals[i];
+ result = rule->bytes_locals[i];
break;
}
@@ -327,9 +327,9 @@ bool g_scan_rule_setup_backend(GScanRule *rule, GEngineBackend *backend, GScanCo
maxsize = g_engine_backend_get_atom_max_size(backend);
- for (i = 0; i < rule->data_used && result; i++)
+ for (i = 0; i < rule->bytes_used && result; i++)
{
- pattern = rule->data_locals[i];
+ pattern = rule->bytes_locals[i];
result = g_string_token_enroll(G_STRING_TOKEN(pattern), context, backend, maxsize);
}
@@ -380,11 +380,11 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c
/* Consolidation des résultats */
- for (i = 0; i < rule->data_used; i++)
+ for (i = 0; i < rule->bytes_used; i++)
{
init_pending_matches(&matches);
- pattern = rule->data_locals[i];
+ pattern = rule->bytes_locals[i];
g_string_token_check(G_STRING_TOKEN(pattern), context, content, &matches);
@@ -392,7 +392,9 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c
{
area = &matches.areas[k];
- match = g_bytes_match_new(G_SEARCH_PATTERN(pattern), content, area->start, area->length);
+ match = g_scan_bytes_match_new(G_SEARCH_PATTERN(pattern), content,
+ area->start, area->end - area->start);
+
g_scan_context_register_full_match(context, match);
g_object_unref(G_OBJECT(match));
@@ -407,3 +409,161 @@ void g_scan_rule_check(GScanRule *rule, GEngineBackend *backend, GScanContext *c
g_object_unref(G_OBJECT(content));
}
+
+
+/******************************************************************************
+* *
+* Paramètres : rule = règle de détection à considérer. *
+* context = contexte de l'analyse à mener. *
+* fd = canal d'écriture. *
+* *
+* Description : Affiche une règle au format texte. *
+* *
+* Retour : - *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+void g_scan_rule_output_to_text(const GScanRule *rule, GScanContext *context, int fd)
+{
+ size_t i; /* Boucle de parcours */
+
+ for (i = 0; i < rule->bytes_used; i++)
+ g_search_pattern_output_to_text(rule->bytes_locals[i], context, fd);
+
+ if (g_scan_context_has_match_for_rule(context, rule->name))
+ {
+ write(fd, "Rule '", 6);
+ write(fd, rule->name, strlen(rule->name));
+ write(fd, "' has matched!\n", 15);
+ }
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : rule = règle de détection à considérer. *
+* context = contexte de l'analyse à mener. *
+* *
+* Description : Convertit une règle en texte. *
+* *
+* Retour : - *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+void g_scan_rule_convert_as_text(const GScanRule *rule, GScanContext *context)
+{
+ /* TODO */
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : rule = règle de détection à considérer. *
+* context = contexte de l'analyse à mener. *
+* padding = éventuel bourrage initial à placer ou NULL. *
+* level = profondeur actuelle. *
+* fd = canal d'écriture. *
+* trailing = impose une virgule finale ? *
+* *
+* Description : Affiche une règle au format JSON. *
+* *
+* Retour : - *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+void g_scan_rule_output_to_json(const GScanRule *rule, GScanContext *context, const sized_string_t *padding, unsigned int level, int fd, bool trailing)
+{
+ size_t i; /* Boucle de parcours */
+ bool sub_trailing; /* Virgule finale */
+
+ /* Introduction */
+
+ for (i = 0; i < level; i++)
+ write(fd, padding->data, padding->len);
+
+ write(fd, "{\n", 2);
+
+ /* Désignation de la règle */
+
+ for (i = 0; i < (level + 1); i++)
+ write(fd, padding->data, padding->len);
+
+ write(fd, "\"name\": \"", 9);
+
+ write(fd, rule->name, strlen(rule->name));
+
+ write(fd, "\",\n", 3);
+
+ /* Affichage des correspondances d'octets */
+
+ for (i = 0; i < (level + 1); i++)
+ write(fd, padding->data, padding->len);
+
+ write(fd, "\"bytes_patterns\": [\n", 20);
+
+ for (i = 0; i < rule->bytes_used; i++)
+ {
+ sub_trailing = ((i + 1) < rule->bytes_used);
+
+ g_search_pattern_output_to_json(rule->bytes_locals[i], context, padding, level + 2, fd, sub_trailing);
+
+ }
+
+ for (i = 0; i < (level + 1); i++)
+ write(fd, padding->data, padding->len);
+
+ write(fd, "],\n", 3);
+
+ /* Bilan du filtrage */
+
+ for (i = 0; i < (level + 1); i++)
+ write(fd, padding->data, padding->len);
+
+ write(fd, "\"matched\": ", 11);
+
+ if (g_scan_context_has_match_for_rule(context, rule->name))
+ write(fd, "true", 4);
+ else
+ write(fd, "false", 5);
+
+ write(fd, "\n", 1);
+
+ /* Conclusion */
+
+ for (i = 0; i < level; i++)
+ write(fd, padding->data, padding->len);
+
+ if (trailing)
+ write(fd, "},\n", 3);
+ else
+ write(fd, "}\n", 2);
+
+}
+
+
+/******************************************************************************
+* *
+* Paramètres : rule = règle de détection à considérer. *
+* context = contexte de l'analyse à mener. *
+* *
+* Description : Convertit une règle en JSON. *
+* *
+* Retour : - *
+* *
+* Remarques : - *
+* *
+******************************************************************************/
+
+void g_scan_rule_convert_as_json(const GScanRule *rule, GScanContext *context)
+{
+ /* TODO */
+
+}