My 11th 2023 update

components/security_apps/ips/include/compound_protection.h

@@ -0,0 +1,49 @@
+#ifndef __COMPOUND_PROTECTION_H__
+#define __COMPOUND_PROTECTION_H__
+
+#include <memory>
+
+#include "ips_signatures.h"
+#include "i_table.h"
+
+class CompoundProtection
+{
+    enum class Operation { OR, AND, ORDERED_AND };
+    using BaseSignature = IPSSignatureSubTypes::BaseSignature;
+
+    class Impl : public IPSSignatureSubTypes::BaseSignature
+    {
+        using SignaturesVector = std::vector<std::shared_ptr<BaseSignature>>;
+
+    public:
+        Impl(const std::string &sig_name, SignaturesVector &&sig_vec, Operation oper);
+
+        const std::string & getSigId() const override { return sig_name; }
+        MatchType getMatch(const std::set<PMPattern> &matched) const override;
+        std::set<PMPattern> patternsInSignature() const override;
+        const std::vector<std::string> & getContext() const override { return contexts; }
+
+    private:
+        MatchType getMatchOr(const std::set<PMPattern> &matched) const;
+        MatchType getMatchAnd(const std::set<PMPattern> &matched) const;
+        MatchType getMatchOrderedAnd(const std::set<PMPattern> &matched) const;
+
+        MatchType getSubMatch(const std::shared_ptr<BaseSignature> &sub_sig, const std::set<PMPattern> &matched) const;
+        bool isFlagSet(const std::string &id) const;
+        void setFlag(const std::string &id) const;
+
+        std::string sig_name;
+        SignaturesVector sub_signatures;
+        std::vector<std::string> contexts;
+        Operation operation;
+        I_Table *table;
+    };
+
+public:
+    static std::shared_ptr<BaseSignature> get(const std::string &sig_name, cereal::JSONInputArchive &ar);
+
+private:
+    static Operation getOperation(const std::string &operation);
+};
+
+#endif // __COMPOUND_PROTECTION_H__

components/security_apps/ips/include/helper.h

@@ -0,0 +1,14 @@
+#ifndef __HELPER_H__
+#define __HELPER_H__
+
+#include <string>
+
+namespace IPSHelper
+{
+
+std::string deobfuscateString(const std::string &str);
+std::string deobfuscateKeyword(const std::string &str);
+
+} // IPSHelper
+
+#endif // __HELPER_H__

components/security_apps/ips/include/i_first_tier_agg.h

@@ -0,0 +1,19 @@
+#ifndef __I_FIRST_TIER_AGG_H__
+#define __I_FIRST_TIER_AGG_H__
+
+#include <memory>
+#include <set>
+#include <string>
+
+#include "pm_hook.h"
+
+class I_FirstTierAgg
+{
+public:
+    virtual std::shared_ptr<PMHook> getHook(const std::string &context_name, const std::set<PMPattern> &patterns) = 0;
+
+protected:
+    virtual ~I_FirstTierAgg() {}
+};
+
+#endif // __I_FIRST_TIER_AGG_H__

components/security_apps/ips/include/ips_basic_policy.h

@@ -0,0 +1,58 @@
+#ifndef __IPS_BASIC_POLICY_H__
+#define __IPS_BASIC_POLICY_H__
+
+#include <cereal/archives/json.hpp>
+#include <string>
+#include <vector>
+#include "ips_enums.h"
+#include "debug.h"
+#include "maybe_res.h"
+#include "ips_signatures.h"
+
+class RuleSelector
+{
+public:
+    class Rule
+    {
+    public:
+        void serialize(cereal::JSONInputArchive &ar);
+
+        bool isSignaturedMatched(const IPSSignatureSubTypes::CompleteSignature &signature) const;
+        const IPSSignatureSubTypes::SignatureAction & getAction() const { return action; };
+        void readAction(cereal::JSONInputArchive &ar, const std::string &action_type);
+        void print(std::ostream &os) const;
+
+    private:
+        void readPerformanceImpact(cereal::JSONInputArchive &ar);
+        void readSeverityLevel(cereal::JSONInputArchive &ar);
+        void readConfidenceLevel(cereal::JSONInputArchive &ar);
+        void readServerProtections(cereal::JSONInputArchive &ar);
+        void readClientProtections(cereal::JSONInputArchive &ar);
+        void readProtectionsFromYear(cereal::JSONInputArchive &ar);
+        void readProtectionTags(cereal::JSONInputArchive &ar);
+        void readProtectionIds(cereal::JSONInputArchive &ar);
+
+        IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
+        Maybe<IPSSignatureSubTypes::IPSLevel> performance_impact = genError("undefined");
+        Maybe<IPSSignatureSubTypes::IPSLevel> severity_level = genError("undefined");
+        Maybe<IPSSignatureSubTypes::IPSLevel> confidence_level = genError("undefined");
+        Maybe<bool> server_protections = genError("undefined");
+        Maybe<bool> client_protections = genError("undefined");
+        Maybe<int> protections_from_year = genError("undefined");
+        Maybe<std::vector<std::string>> protection_tags = genError("undefined");
+        Maybe<std::vector<std::string>> protection_ids = genError("undefined");
+    };
+
+public:
+    std::vector<IPSSignatureSubTypes::SignatureAndAction> selectSignatures() const;
+    void print(std::ostream &os) const;
+    void load(cereal::JSONInputArchive &ar);
+
+private:
+    void readRules(cereal::JSONInputArchive &ar);
+    void readDefaultAction(cereal::JSONInputArchive &ar);
+
+    std::vector<Rule> rules;
+};
+
+#endif // __IPS_BASIC_POLICY_H__

components/security_apps/ips/include/ips_common_types.h

@@ -0,0 +1,11 @@
+#ifndef __IPS_COMMON_TYPES__
+#define __IPS_COMMON_TYPES__
+
+#include "buffer.h"
+
+struct IPSCommonTypes
+{
+    static const Buffer requests_header_for_log;
+};
+
+#endif //__IPS_COMMON_TYPES__

components/security_apps/ips/include/ips_configuration.h

@@ -0,0 +1,36 @@
+#ifndef __IPS_CONFIGURATION_H__
+#define __IPS_CONFIGURATION_H__
+
+#include "config.h"
+
+class IPSConfiguration
+{
+public:
+    enum class ContextType { NORMAL, KEEP, HISTORY };
+
+    class Context {
+    public:
+        Context() : type(ContextType::NORMAL), history_size(0) {}
+        Context(ContextType type, uint history);
+
+        ContextType getType() const { return type; }
+        uint getHistorySize() const;
+
+    private:
+        ContextType type;
+        uint history_size;
+    };
+
+    IPSConfiguration() {}
+    IPSConfiguration(const std::map<std::string, Context> &initial_conf) : context_config(initial_conf) {}
+
+    void load(cereal::JSONInputArchive &ar);
+
+    Context getContext(const std::string &name) const;
+    uint getHistorySize(const std::string &name) const;
+
+private:
+    std::map<std::string, Context> context_config;
+};
+
+#endif // __IPS_CONFIGURATION_H__

components/security_apps/ips/include/ips_entry.h

@@ -0,0 +1,56 @@
+#ifndef __IPS_ENTRY_H__
+#define __IPS_ENTRY_H__
+
+#include <map>
+#include <set>
+
+#include "table_opaque.h"
+#include "parsed_context.h"
+#include "buffer.h"
+#include "context.h"
+
+class IPSEntry : public TableOpaqueSerialize<IPSEntry>, public Listener<ParsedContext>
+{
+public:
+    IPSEntry();
+
+    void upon(const ParsedContext &) override;
+    ParsedContextReply respond(const ParsedContext &ctx) override;
+    std::string getListenerName() const override { return name(); }
+
+    template <typename T>
+    void serialize(T &, uint32_t) {}
+    static std::string name();
+    static std::unique_ptr<TableOpaqueBase> prototype();
+    static uint currVer();
+    static uint minVer();
+
+    void uponEnteringContext() override { registerListener(); }
+    void uponLeavingContext() override { unregisterListener(); }
+
+    void setFlag(const std::string &flag) { flags.insert(flag); }
+    void unsetFlag(const std::string &flag) { flags.erase(flag); }
+    bool isFlagSet(const std::string &flag) const { return flags.count(flag) != 0; }
+
+    Buffer getBuffer(const std::string &name) const;
+    void setTransactionData(const Buffer &key, const Buffer &value);
+    Maybe<Buffer> getTransactionData(const Buffer &key) const;
+
+    void addPendingContext(const std::string &name, const Buffer &buffer);
+    const std::vector<std::pair<std::string, Buffer>> getPendingContexts() const { return pending_contexts; }
+    void clearPendingContexts() { pending_contexts.clear(); }
+
+    void setDrop() { is_drop = true; }
+    bool isDrop() const { return is_drop; }
+
+private:
+    std::map<std::string, Buffer> past_contexts;
+    std::set<std::string> flags;
+    Context ctx;
+    std::map<Buffer, Buffer> transaction_data;
+    std::vector<std::pair<std::string, Buffer>> pending_contexts;
+
+    bool is_drop = false;
+};
+
+#endif // __IPS_ENTRY_H__

components/security_apps/ips/include/ips_enums.h

@@ -0,0 +1,26 @@
+#ifndef __IPS_ENUMS_H__
+#define __IPS_ENUMS_H__
+
+namespace IPSSignatureSubTypes
+{
+
+enum class SignatureAction
+{
+    PREVENT,
+    DETECT,
+    IGNORE
+};
+
+enum class IPSLevel
+{
+    VERY_LOW,
+    LOW,
+    MEDIUM_LOW,
+    MEDIUM,
+    MEDIUM_HIGH,
+    HIGH,
+    CRITICAL
+};
+
+}  // IPSSignatureSubTypes
+#endif // __IPS_ENUMS_H__

components/security_apps/ips/include/ips_metric.h

@@ -0,0 +1,35 @@
+#ifndef __IPS_METRIC_H__
+#define __IPS_METRIC_H__
+
+#include "ips_signatures.h"
+#include "generic_metric.h"
+
+namespace IPSSignatureSubTypes
+{
+
+class MatchEvent : public Event<MatchEvent>
+{
+public:
+    MatchEvent(const std::shared_ptr<CompleteSignature> &sig, SignatureAction act) : signature(sig), action(act) {}
+
+    const SignatureAction & getAction() const { return action; }
+
+private:
+    std::shared_ptr<CompleteSignature> signature;
+    SignatureAction action;
+};
+
+class IPSMetric : public GenericMetric, public Listener<MatchEvent>
+{
+public:
+    void upon(const MatchEvent &event) override;
+
+private:
+    MetricCalculations::Counter prevented{this, "preventEngineMatchesSample"};
+    MetricCalculations::Counter detected{this, "detectEngineMatchesSample"};
+    MetricCalculations::Counter ignored{this, "ignoreEngineMatchesSample"};
+};
+
+} // IPSSignatureSubTypes
+
+#endif // __IPS_METRIC_H__

components/security_apps/ips/include/ips_signatures.h

@@ -0,0 +1,238 @@
+#ifndef __IPS_SIGNATURES_H__
+#define __IPS_SIGNATURES_H__
+
+#include <vector>
+
+#include "config.h"
+#include "parsed_context.h"
+#include "log_generator.h"
+#include "pm_hook.h"
+#include "ips_enums.h"
+#include "ips_entry.h"
+#include "i_first_tier_agg.h"
+
+namespace IPSSignatureSubTypes
+{
+using ActionResults = std::tuple<IPSSignatureSubTypes::SignatureAction, std::string, std::vector<std::string>>;
+
+class BaseSignature
+{
+public:
+    enum class MatchType { NO_MATCH, CACHE_MATCH, MATCH };
+
+    virtual const std::string & getSigId() const = 0;
+    virtual MatchType getMatch(const std::set<PMPattern> &matched) const = 0;
+    virtual std::set<PMPattern> patternsInSignature() const = 0;
+    virtual const std::vector<std::string> & getContext() const = 0;
+};
+
+class IPSSignatureMetaData
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+    void setIndicators(const std::string &source, const std::string &version);
+
+    const std::string & getId()                   const { return protection_id; }
+    const std::string & getName()                 const { return sig_name; }
+    const std::string & getUpdateVersion()        const { return update; }
+    const std::string & getLogTitle()             const { return event_log; }
+    const std::string & getSource()               const { return source; }
+    const std::string & getFeedVersion()          const { return version; }
+    const std::vector<std::string> & getCveList() const { return cve_list; }
+    IPSLevel getSeverity()                        const { return severity; }
+    std::string getSeverityString()               const;
+    IPSLevel getConfidence()                      const { return confidence; }
+    std::string getConfidenceString()             const;
+    IPSLevel getPerformance()                     const { return performance; }
+    std::string getPerformanceString()            const;
+    bool isSilent()                               const { return is_silent; }
+    std::string getIncidentType()                 const;
+    bool isYearAtLeast(const Maybe<int> &year)    const;
+    Maybe<int> getYear()                          const;
+
+private:
+    std::string protection_id;
+    std::string sig_name;
+    std::string event_log;
+    std::string update;
+    std::string source;
+    std::string version;
+    std::vector<std::string> cve_list;
+    std::vector<std::string> tag_list;
+    IPSLevel severity;
+    IPSLevel confidence;
+    IPSLevel performance;
+    bool is_silent = false;
+};
+
+class CompleteSignature
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+    BaseSignature::MatchType getMatch(const std::set<PMPattern> &matches) const;
+    std::set<PMPattern> patternsInSignature() const;
+    void setIndicators(const std::string &source, const std::string &version);
+
+    const std::vector<std::string> & getContext() const { return rule->getContext(); }
+    const std::string & getId()                   const { return metadata.getId(); }
+    const std::string & getLogTitle()             const { return metadata.getLogTitle(); }
+    const std::string & getName()                 const { return metadata.getName(); }
+    const std::string & getUpdateVersion()        const { return metadata.getUpdateVersion(); }
+    const std::string & getSource()               const { return metadata.getSource(); }
+    const std::string & getFeedVersion()          const { return metadata.getFeedVersion(); }
+    const std::vector<std::string> & getCveList() const { return metadata.getCveList(); }
+    IPSLevel getSeverity()                        const { return metadata.getSeverity(); }
+    std::string getSeverityString()               const { return metadata.getSeverityString(); }
+    IPSLevel getConfidence()                      const { return metadata.getConfidence(); }
+    std::string getConfidenceString()             const { return metadata.getConfidenceString(); }
+    IPSLevel getPerformance()                     const { return metadata.getPerformance(); }
+    std::string getPerformanceString()            const { return metadata.getPerformanceString(); }
+    bool isSilent()                               const { return metadata.isSilent(); }
+    std::string getIncidentType()                 const { return metadata.getIncidentType(); }
+
+    bool isYearAtLeast(const Maybe<int> &year)    const { return metadata.isYearAtLeast(year); }
+    Maybe<int> getYear()                          const { return metadata.getYear(); }
+
+private:
+    IPSSignatureMetaData metadata;
+    std::shared_ptr<BaseSignature> rule;
+};
+
+class SignatureAndAction
+{
+public:
+    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action)
+            :
+        signature(_signature),
+        action(_action)
+    {
+    }
+
+    bool isMatchedPrevent(const Buffer &context_buffer, const std::set<PMPattern> &pattern) const;
+    bool matchSilent(const Buffer &context_buffer) const;
+    std::set<PMPattern> patternsInSignature() const { return signature->patternsInSignature(); }
+    const std::vector<std::string> & getContext() const { return signature->getContext(); }
+
+private:
+    ActionResults getAction(const IPSEntry &ips_state) const;
+    std::shared_ptr<CompleteSignature> signature;
+    SignatureAction action;
+};
+} // IPSSignatureSubTypes
+
+class IPSSignaturesPerContext : public Singleton::Consume<I_FirstTierAgg>
+{
+public:
+    void addSignature(const IPSSignatureSubTypes::SignatureAndAction &sig);
+    bool isMatchedPrevent(const Buffer &context_buffer) const;
+    void calcFirstTier(const std::string &ctx_name);
+
+private:
+    std::set<PMPattern> getFirstTierMatches(const Buffer &buffer) const;
+
+    std::map<PMPattern, std::vector<IPSSignatureSubTypes::SignatureAndAction>> signatures_per_lss;
+    std::vector<IPSSignatureSubTypes::SignatureAndAction> signatures_without_lss;
+    std::shared_ptr<PMHook> first_tier;
+};
+
+class IPSSignaturesResource
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+
+    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
+    getSignatures() const
+    {
+        return all_signatures;
+    }
+
+private:
+    std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> all_signatures;
+};
+
+class SnortSignaturesResourceFile
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+    bool isFile(const std::string &file_name) const { return file_name == name; }
+    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
+    getSignatures() const
+    {
+        return all_signatures;
+    }
+
+private:
+    std::string name;
+    std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> all_signatures;
+};
+
+class SnortSignaturesResource
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+
+    const std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> &
+    getSignatures(const std::string &file_name) const
+    {
+        for (auto &file : files) {
+            if (file.isFile(file_name)) return file.getSignatures();
+        }
+        return empty;
+    }
+
+private:
+    std::vector<std::shared_ptr<IPSSignatureSubTypes::CompleteSignature>> empty;
+    std::vector<SnortSignaturesResourceFile> files;
+};
+
+class IPSSignatures
+{
+    std::set<PMPattern> getFirstTier(const ParsedContext &context);
+
+public:
+    void load(cereal::JSONInputArchive &ar);
+    bool isMatchedPrevent(const std::string &context_name, const Buffer &context_buffer) const;
+    bool isEmpty() const { return signatures_per_context.empty(); }
+    bool isEmpty(const std::string &context) const;
+
+    const std::string & getAsset() const { return asset_name; }
+    const std::string & getAssetId() const { return asset_id; }
+    const std::string & getPractice() const { return practice_name; }
+    const std::string & getPracticeId() const { return practice_id; }
+    const std::string & getSourceIdentifier() const { return source_id; }
+
+private:
+    std::map<std::string, IPSSignaturesPerContext> signatures_per_context;
+    std::string asset_name;
+    std::string asset_id;
+    std::string practice_name;
+    std::string practice_id;
+    std::string source_id;
+};
+
+class SnortSignatures
+{
+    std::set<PMPattern> getFirstTier(const ParsedContext &context);
+
+public:
+    void load(cereal::JSONInputArchive &ar);
+    bool isMatchedPrevent(const std::string &context_name, const Buffer &context_buffer) const;
+    bool isEmpty() const { return signatures_per_context.empty(); }
+    bool isEmpty(const std::string &context) const;
+
+    const std::string & getAsset() const { return asset_name; }
+    const std::string & getAssetId() const { return asset_id; }
+    const std::string & getPractice() const { return practice_name; }
+    const std::string & getPracticeId() const { return practice_id; }
+    const std::string & getSourceIdentifier() const { return source_id; }
+
+private:
+    std::map<std::string, IPSSignaturesPerContext> signatures_per_context;
+    std::string asset_name;
+    std::string asset_id;
+    std::string practice_name;
+    std::string practice_id;
+    std::string source_id;
+};
+
+#endif // __IPS_SIGNATURES_H__

components/security_apps/ips/include/rule_detection.h

@@ -0,0 +1,30 @@
+#ifndef __RULE_DETECTION_H__
+#define __RULE_DETECTION_H__
+
+#include "simple_protection.h"
+#include "compound_protection.h"
+
+class RuleDetection
+{
+public:
+    RuleDetection(const std::string &_sig_name) : sig_name(_sig_name) {}
+
+    template <typename T>
+    void serialize(T &ar)
+    {
+        std::string type;
+        ar(cereal::make_nvp("type", type));
+
+        if (type == "simple") rule = SimpleProtection::get(sig_name, ar);
+        else if (type == "compound") rule = CompoundProtection::get(sig_name, ar);
+        else reportConfigurationError("Unknown rule type: " + type);
+    };
+
+    std::shared_ptr<IPSSignatureSubTypes::BaseSignature> getRule() { return rule; }
+
+private:
+    std::shared_ptr<IPSSignatureSubTypes::BaseSignature> rule;
+    std::string sig_name;
+};
+
+#endif // __RULE_DETECTION_H__

components/security_apps/ips/include/simple_protection.h

@@ -0,0 +1,49 @@
+#ifndef __SIMPLE_PROTECTION_H__
+#define __SIMPLE_PROTECTION_H__
+
+#include <memory>
+
+#include "ips_signatures.h"
+#include "i_keywords_rule.h"
+
+class SimpleProtection
+{
+    class Impl : public IPSSignatureSubTypes::BaseSignature
+    {
+    public:
+        Impl(
+            const std::string &sig_name,
+            const std::string &ssm,
+            const std::string &keyword,
+            const std::vector<std::string> &context
+        );
+
+        const std::string & getSigId() const override { return sig_name; }
+        MatchType getMatch(const std::set<PMPattern> &matched) const override;
+        std::set<PMPattern> patternsInSignature() const override;
+        const std::vector<std::string> & getContext() const override { return context; }
+
+    private:
+        std::string sig_name;
+        std::vector<std::string> context;
+        std::shared_ptr<I_KeywordsRule::VirtualRule> rule;
+        PMPattern pattern;
+    };
+
+public:
+    template <typename Archive>
+    static std::shared_ptr<IPSSignatureSubTypes::BaseSignature> get(const std::string &sig_name, Archive &ar)
+    {
+        std::string ssm, keyword;
+        std::vector<std::string> context;
+
+        ar(
+            cereal::make_nvp("SSM",      ssm),
+            cereal::make_nvp("keywords", keyword),
+            cereal::make_nvp("context",  context)
+        );
+
+        return std::make_shared<Impl>(sig_name, ssm, keyword, context);
+    }
+};
+#endif // __SIMPLE_PROTECTION_H__

components/security_apps/ips/include/snort_basic_policy.h

@@ -0,0 +1,22 @@
+#ifndef __SNORT_BASIC_POLICY_H__
+#define __SNORT_BASIC_POLICY_H__
+
+#include <cereal/archives/json.hpp>
+#include <vector>
+#include <string>
+
+#include "ips_enums.h"
+#include "ips_signatures.h"
+
+class SnortRuleSelector
+{
+public:
+    std::vector<IPSSignatureSubTypes::SignatureAndAction> selectSignatures() const;
+    void load(cereal::JSONInputArchive &ar);
+
+private:
+    IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
+    std::vector<std::string> file_names;
+};
+
+#endif // __SNORT_BASIC_POLICY_H__