Feb 15th 2023 update

components/include/generic_rulebase/match_query.h

@@ -18,6 +18,7 @@
 #include <string>
 #include <set>
 #include <map>
+#include <memory>
 #include <arpa/inet.h>
 
 #include "cereal/types/string.hpp"
@@ -45,6 +46,13 @@ public:
         Domain,
         NotStatic
     };
+    struct MatchResult
+    {
+        bool is_match;
+        std::shared_ptr<std::set<std::string>> matched_keywords;
+    };
+
+    MatchQuery(): is_specific_label(false), is_ignore_keyword(false) {}
 
     void load(cereal::JSONInputArchive &archive_in);
 
@@ -58,6 +66,7 @@ public:
     const std::vector<IpProtoRange> & getProtoValue() const { return ip_proto_value; }
     const std::vector<MatchQuery> & getItems() const { return items; }
     std::string getFirstValue() const { return first_value; }
+    MatchResult getMatch(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
     bool matchAttributes(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
     bool matchException(const std::string &behaviorKey, const std::string &behaviorValue) const;
     bool isKeyTypeIp() const;
@@ -69,9 +78,14 @@ public:
     std::set<std::string> getAllKeys() const;
 
 private:
+    bool matchAttributes(
+            const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+            std::set<std::string> &matched_override_keywords) const;
     StaticKeys getKeyByName(const std::string &key_type_name);
-    bool matchAttributes(const std::set<std::string> &values) const;
-    bool matchAttributesRegEx(const std::set<std::string> &values) const;
+    bool matchAttributes(const std::set<std::string> &values,
+            std::set<std::string> &matched_override_keywords) const;
+    bool matchAttributesRegEx(const std::set<std::string> &values,
+            std::set<std::string> &matched_override_keywords) const;
     bool matchAttributesString(const std::set<std::string> &values) const;
     bool isRegEx() const;
 
@@ -88,6 +102,7 @@ private:
     std::vector<PortsRange> port_value;
     std::vector<IpProtoRange> ip_proto_value;
     std::vector<MatchQuery> items;
+    bool is_ignore_keyword;
 };
 
 #endif // __MATCH_QUERY_H__

components/include/generic_rulebase/parameters_config.h

@@ -200,6 +200,11 @@ public:
     std::set<ParameterBehavior>
     getBehavior(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
 
+    std::set<ParameterBehavior>
+    getBehavior(
+            const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+            std::set<std::string> &matched_override_keywords) const;
+
     static bool isGeoLocationExceptionExists() { return is_geo_location_exception_exists; }
 
 private:
@@ -218,4 +223,6 @@ private:
     static bool is_geo_location_exception_being_loaded;
 };
 
+static const ParameterBehavior action_ignore(BehaviorKey::ACTION, BehaviorValue::IGNORE);
+
 #endif //__PARAMETERS_CONFIG_H__

components/include/generic_rulebase/triggers_config.h

@@ -160,8 +160,10 @@ private:
 
     std::string name;
     std::string verbosity;
-    std::string url_for_syslog = "";
-    std::string url_for_cef = "";
+    std::string url_for_syslog = "UDP";
+    std::string url_for_cef = "UDP";
+    std::string syslog_protocol = "";
+    std::string cef_protocol = "";
     Flags<ReportIS::StreamType> active_streams;
     Flags<SecurityType> should_log_on_detect;
     Flags<SecurityType> should_log_on_prevent;