My 11th 2023 update

2025-11-16 01:12:18 +03:00 · 2023-05-11 18:54:44 +00:00
parent 240f58217a
commit 29bd82d125
92 changed files with 9301 additions and 135 deletions
--- a/components/security_apps/ips/simple_protection.cc
+++ b/components/security_apps/ips/simple_protection.cc
@@ -0,0 +1,64 @@
+#include "simple_protection.h"
+#include "ips_comp.h"
+#include "debug.h"
+#include "helper.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_IPS);
+
+SimpleProtection::Impl::Impl(
+        const string &_sig_name,
+        const string &ssm,
+        const string &keyword,
+        const vector<string> &_context
+    )
+        :
+    sig_name(_sig_name),
+    context(_context)
+{
+    string deobfuscated_keyword = IPSHelper::deobfuscateKeyword(keyword);
+    if (deobfuscated_keyword != "") {
+        auto compiled = Singleton::Consume<I_KeywordsRule>::by<IPSComp>()->genRule(deobfuscated_keyword);
+        if (!compiled.ok()) {
+            reportConfigurationError(
+                "Failed to complie keywords '" + keyword + "' in signature " + sig_name + ": " + compiled.getErr()
+            );
+        }
+        rule = compiled.unpackMove();
+    }
+
+    auto deobfuscated_ssm = IPSHelper::deobfuscateString(ssm);
+    if (deobfuscated_ssm != "") {
+        auto temp_pattern = PMHook::lineToPattern(deobfuscated_ssm);
+        if (!temp_pattern.ok()) reportConfigurationError("Failed first tier pattern: " + temp_pattern.getErr());
+        pattern = temp_pattern.unpackMove();
+    }
+
+    if (deobfuscated_keyword == "" && deobfuscated_ssm == "") {
+        reportConfigurationError("Both Simple String and Keyword are empty in a simple protection " + sig_name);
+    }
+}
+
+using MatchType = IPSSignatureSubTypes::BaseSignature::MatchType;
+
+MatchType
+SimpleProtection::Impl::getMatch(const set<PMPattern> &matches) const
+{
+    dbgTrace(D_IPS) << "Entering signature";
+    if (!pattern.empty() && matches.find(pattern) == matches.end()) return MatchType::NO_MATCH;
+
+    dbgTrace(D_IPS) << "Checking for rule";
+    if (!rule) return MatchType::MATCH;
+
+    dbgTrace(D_IPS) << "Running keywords";
+    return rule->isMatch() ? MatchType::MATCH : MatchType::NO_MATCH;
+}
+
+set<PMPattern>
+SimpleProtection::Impl::patternsInSignature() const
+{
+    set<PMPattern> res;
+    if (!pattern.empty()) res.insert(pattern);
+    return res;
+}