using namespace std;
void EveCaPatternMatchers::add_eve_ca_pattern(AppId app_id, const string& pattern_str,
- uint8_t confidence, const string& detector)
+ uint8_t confidence, const string& detector, bool literal)
{
auto match = find_if(eve_ca_load_list.begin(), eve_ca_load_list.end(),
- [pattern_str] (EveCaPattern* eve_ca) { return eve_ca->pattern == pattern_str; });
+ [pattern_str, literal] (EveCaPattern* eve_ca)
+ { return (eve_ca->pattern == pattern_str) and (eve_ca->literal == literal); });
+
if (match != eve_ca_load_list.end())
{
if ((*match)->app_id != app_id)
}
else
{
- EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence);
+ EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence, literal);
eve_ca_load_list.push_back(new_eve_ca_pattern);
}
}
for (auto &mp : *eve_ca_match_list)
{
- if (mp->pattern.size() == pattern.size())
+ const bool confident = (reported_confidence >= mp->confidence);
+ const bool same_size = (mp->pattern.size() == pattern.size());
+
+ if (not confident)
+ continue;
+
+ if (mp->literal)
{
- if (reported_confidence >= mp->confidence)
+ if (same_size)
best_match = mp;
- else if (best_match)
- best_match = nullptr;
- break;
}
- else if ((reported_confidence >= mp->confidence) and
- (!best_match or (mp->pattern.size() > best_match->pattern.size())))
+
+ if (not mp->literal)
{
- best_match = mp;
- continue;
+ if (!best_match or (mp->pattern.size() > best_match->pattern.size()))
+ best_match = mp;
}
}
AppId ret_app_id = APP_ID_NONE;
{
for (auto& p : eve_ca_load_list)
{
- eve_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true);
+ eve_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true, p->literal);
#ifdef REG_TEST
AppIdInspector* inspector =
const AppId app_id;
const std::string pattern;
const uint8_t confidence;
+ bool literal;
- EveCaPattern(AppId id, const std::string& name, uint8_t conf) : app_id(id), pattern(name),
- confidence(conf) {}
+ EveCaPattern(AppId id, const std::string& name, uint8_t conf, bool literal = true) : app_id(id), pattern(name),
+ confidence(conf), literal(literal) {}
~EveCaPattern() {}
};
public:
~EveCaPatternMatchers();
AppId match_eve_ca_pattern(const std::string&, uint8_t);
- void add_eve_ca_pattern(AppId, const std::string&, uint8_t, const std::string&);
+ void add_eve_ca_pattern(AppId, const std::string&, uint8_t, const std::string&, bool literal = true);
void finalize_patterns();
void reload_patterns();
unsigned get_pattern_count();
const std::string detector_name = ud->get_detector()->get_name();
ud->get_odp_ctxt().get_eve_ca_matchers().add_eve_ca_pattern(appid, process_name,
- process_score, detector_name);
+ process_score, detector_name, true);
+
+ ud->get_odp_ctxt().get_app_info_mgr().set_app_info_active(appid);
+
+ return 0;
+}
+
+/** Add a fp process name regex to client app mapping.
+ * @param Lua_State* - Lua state variable.
+ * @param appid/stack - the AppId to map the fp data to
+ * @param process_name/stack - encrypted fingerprint process name regex
+ * @param process_score - encrypted fingerprint process_score
+ */
+static int add_process_to_client_mapping_regex(lua_State* L)
+{
+ auto& ud = *UserData<LuaObject>::check(L, DETECTOR, 1);
+ // Verify detector user data and that we are NOT in packet context
+ ud->validate_lua_state(false);
+ if (!init(L))
+ return 0;
+
+ const FastPatternConfig* const fp = SnortConfig::get_conf()->fast_pattern_config;
+ if (!MpseManager::is_regex_capable(fp->get_search_api())){
+ appid_log(nullptr, TRACE_WARNING_LEVEL, "WARNING: appid: Regex patterns require usage of "
+ "regex capable search engine like hyperscan in %s\n", ud->get_detector()->get_name().c_str());
+ return 0;
+ }
+
+ int index = 1;
+ uint32_t appid = lua_tointeger(L, ++index);
+
+ // Verify that process_name is a valid string
+ size_t pattern_size = 0;
+ const char* tmp_string = lua_tolstring(L, ++index, &pattern_size);
+ if (!tmp_string or !pattern_size)
+ {
+ appid_log(nullptr, TRACE_ERROR_LEVEL, "appid: Invalid eve process_name regex string: appid %u.\n", appid);
+ return 0;
+ }
+ const std::string process_name(tmp_string);
+ uint8_t process_score = lua_tointeger(L, ++index);
+ const std::string detector_name = ud->get_detector()->get_name();
+
+ ud->get_odp_ctxt().get_eve_ca_matchers().add_eve_ca_pattern(appid, process_name,
+ process_score, detector_name, false);
ud->get_odp_ctxt().get_app_info_mgr().set_app_info_active(appid);
/* add client mapping for process name derived by fingerprinting */
{ "addProcessToClientMapping", add_process_to_client_mapping },
{ "addAlpnToServiceMapping", add_alpn_to_service_mapping },
+ { "addProcessToClientMappingRegex", add_process_to_client_mapping_regex },
//HTTP Multi Pattern engine
{ "CHPCreateApp", detector_chp_create_application },
projects / thirdparty / snort3.git / commitdiff
