Rely on the ACISM tree to detect identical patterns.

author: Cyrille Bagard <nocbos@gmail.com> 2024-02-24 17:19:31 (GMT)
committer: Cyrille Bagard <nocbos@gmail.com> 2024-02-24 17:19:31 (GMT)
commit: ea9be67a9ddec2b4b96b3114bab5f192e53c7911 (patch)
tree: e667e83a57565528791e981ea387e31c60938fad /tests/analysis
parent: cc181167644e1b88630ac02e2b718ad3ad0145c4 (diff)
1 files changed, 38 insertions, 1 deletions
diff --git a/tests/analysis/scan/matches.py b/tests/analysis/scan/matches.py
index 768531b..efcae4f 100644
--- a/tests/analysis/scan/matches.py
+++ b/tests/analysis/scan/matches.py
@@ -7,7 +7,7 @@ class TestRostMatchs(RostTestClass):
     """TestCases for the ROST pattern matching engine."""
 
     def testCountMatches(self):
-        """Count matches patterns."""
+        """Count matched patterns."""
 
         cnt = MemoryContent(b'aaa aaa bbb aaa')
 
@@ -25,3 +25,40 @@ rule test {
 '''
 
         self.check_rule_success(rule, cnt)
+
+
+    def testCountSameMatches(self):
+        """Count matches of similar patterns."""
+
+        cnt = MemoryContent(b'ABCDabcdABCDabcd')
+
+        rule = '''
+rule test {
+
+   bytes:
+      $a = "\x61\x62\x63\x64"
+      $b = "\x61\x62\x63\x64"
+
+   condition:
+      #a == 2 and #b == 2
+
+}
+'''
+
+        self.check_rule_success(rule, cnt)
+
+
+        rule = '''
+rule test {
+
+   bytes:
+      $a = "\x61\x62\x63\x64"
+      $b = "\x61\x62\x63"
+
+   condition:
+      #a == 2 and #b == 2
+
+}
+'''
+
+        self.check_rule_success(rule, cnt)
author	Cyrille Bagard <nocbos@gmail.com>	2024-02-24 17:19:31 (GMT)
committer	Cyrille Bagard <nocbos@gmail.com>	2024-02-24 17:19:31 (GMT)
commit	ea9be67a9ddec2b4b96b3114bab5f192e53c7911 (patch)
tree	e667e83a57565528791e981ea387e31c60938fad /tests/analysis
parent	cc181167644e1b88630ac02e2b718ad3ad0145c4 (diff)