First release of open-appsec source code

components/include/generic_rulebase/asset.h

@@ -0,0 +1,31 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ASSET_H__
+#define __ASSET_H__
+
+#include <unordered_map>
+
+#include "i_environment.h"
+
+class Asset
+{
+public:
+    const std::map<Context::MetaDataType, std::string> & getAttrs() const { return attr; }
+    void setAttr(Context::MetaDataType type, const std::string &attr_val) { attr[type] = attr_val; }
+
+private:
+    std::map<Context::MetaDataType, std::string> attr;
+};
+
+#endif // __ASSET_H__

components/include/generic_rulebase/assets_config.h

@@ -0,0 +1,91 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ASSETS_CONFIG_H__
+#define __ASSETS_CONFIG_H__
+
+#include <vector>
+#include <string>
+#include <arpa/inet.h>
+
+#include "generic_rulebase_context.h"
+#include "c_common/ip_common.h"
+#include "connkey.h"
+
+class RuleAsset
+{
+public:
+    class AssetUrl
+    {
+    public:
+        void
+        load(cereal::JSONInputArchive &archive_in);
+        const std::string & getProtocol() const { return protocol; }
+        const std::string & getIp() const { return ip; }
+        const std::string & getPort() const { return port; }
+
+        uint8_t getParsedProtocol() const { return parsed_proto; }
+        const IpAddress & getParsedIp() const { return parsed_ip; }
+        uint16_t getParsedPort() const { return parsed_port; }
+        bool isAnyIp() const { return is_any_ip; }
+        bool isAnyPort() const { return is_any_port; }
+        bool isAnyProto() const { return is_any_proto; }
+
+    private:
+        static IpAddress ConvertToIpAddress(const IPAddr &addr);
+
+        std::string protocol;
+        std::string ip;
+        std::string port;
+        IpAddress parsed_ip;
+        uint16_t parsed_port;
+        uint8_t parsed_proto;
+        bool is_any_ip;
+        bool is_any_port;
+        bool is_any_proto;
+    };
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const GenericConfigId & getId() const { return asset_id; }
+    const std::string & getName() const { return asset_name; }
+    const std::vector<AssetUrl> & getUrls() const { return asset_urls; }
+    
+private:
+    GenericConfigId asset_id;
+    std::string asset_name;
+    std::vector<AssetUrl> asset_urls;
+};
+
+class Assets
+{
+public:
+    static void preload();
+
+    void load(cereal::JSONInputArchive &archive_in)
+    {
+        try {
+            cereal::load(archive_in, assets);
+        }catch (const cereal::Exception &) {
+        }
+    }
+
+    static const Assets empty_assets_config;
+
+    const std::vector<RuleAsset> & getAssets() const { return assets; }
+
+private:
+    std::vector<RuleAsset> assets;
+};
+
+#endif //__ASSETS_CONFIG_H__

components/include/generic_rulebase/evaluators/asset_eval.h

@@ -0,0 +1,36 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ASSET_EVAL_H__
+#define __ASSET_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+
+class AssetMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    AssetMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "assetId"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::string asset_id;
+};
+
+#endif // __ASSET_EVAL_H__

components/include/generic_rulebase/evaluators/connection_eval.h

@@ -0,0 +1,127 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __CONNECTION_EVAL_H__
+#define __CONNECTION_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+#include "connkey.h"
+
+class IpAddressMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    IpAddressMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "ipAddress"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<IPAddr>> values;
+};
+
+class SourceIpMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    SourceIpMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "sourceIP"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<IPAddr>> values;
+};
+
+class DestinationIpMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    DestinationIpMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "destinationIP"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<IPAddr>> values;
+};
+
+class SourcePortMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    SourcePortMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "sourcePort"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<PortNumber>> values;
+};
+
+class ListeningPortMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    ListeningPortMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "listeningPort"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<PortNumber>> values;
+};
+
+class IpProtocolMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    IpProtocolMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "ipProtocol"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<CustomRange<IPProto>> values;
+};
+
+class UrlMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    UrlMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "url"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::vector<std::string> values;
+};
+
+#endif // __CONNECTION_EVAL_H__

components/include/generic_rulebase/evaluators/http_transaction_data_eval.h

@@ -0,0 +1,74 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __HTTP_TRANSACTION_DATA_EVAL_H__
+#define __HTTP_TRANSACTION_DATA_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+#include "connkey.h"
+
+class EqualHost : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    EqualHost(const std::vector<std::string> &params);
+
+    static std::string getName() { return "EqualHost"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    std::string host;
+};
+
+class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    EqualListeningIP(const std::vector<std::string> &params);
+
+    static std::string getName() { return "EqualListeningIP"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    IPAddr listening_ip;
+};
+
+class EqualListeningPort : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    EqualListeningPort(const std::vector<std::string> &params);
+
+    static std::string getName() { return "EqualListeningPort"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    PortNumber listening_port;
+};
+
+class BeginWithUri : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    BeginWithUri(const std::vector<std::string> &params);
+
+    static std::string getName() { return "BeginWithUri"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    std::string uri_prefix;
+};
+
+#endif // __HTTP_TRANSACTION_DATA_EVAL_H__

components/include/generic_rulebase/evaluators/parameter_eval.h

@@ -0,0 +1,36 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __PARAMETER_EVAL_H__
+#define __PARAMETER_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+
+class ParameterMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    ParameterMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "parameterId"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::string parameter_id;
+};
+
+#endif // __PARAMETER_EVAL_H__

components/include/generic_rulebase/evaluators/practice_eval.h

@@ -0,0 +1,36 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __PRACTICE_EVAL_H__
+#define __PRACTICE_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+
+class PracticeMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    PracticeMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "practiceId"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::string practice_id;
+};
+
+#endif // __PRACTICE_EVAL_H__

components/include/generic_rulebase/evaluators/query_eval.h

@@ -0,0 +1,43 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __QUERY_EVAL_H__
+#define __QUERY_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "i_generic_rulebase.h"
+#include "singleton.h"
+
+class QueryMatcher
+        :
+    public EnvironmentEvaluator<bool>,
+    Singleton::Consume<I_Environment>,
+    Singleton::Consume<I_GenericRulebase>
+{
+public:
+    QueryMatcher(const std::vector<std::string> &query_params);
+
+    static std::string getName() { return "matchQuery"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    static const std::string contextKeyToString(Context::MetaDataType type);
+
+    std::string key;
+    std::unordered_set<std::string> values;
+    bool is_any = false;
+};
+
+#endif // __QUERY_EVAL_H__

components/include/generic_rulebase/evaluators/trigger_eval.h

@@ -0,0 +1,36 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __TRIGGER_EVAL_H__
+#define __TRIGGER_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+
+class TriggerMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    TriggerMatcher(const std::vector<std::string> &params);
+
+    static std::string getName() { return "triggerId"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::string trigger_id;
+};
+
+#endif // __TRIGGER_EVAL_H__

components/include/generic_rulebase/evaluators/zone_eval.h

@@ -0,0 +1,36 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ZONE_EVAL_H__
+#define __ZONE_EVAL_H__
+
+#include "environment/evaluator_templates.h"
+#include "i_environment.h"
+#include "singleton.h"
+
+class ZoneMatcher : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    ZoneMatcher(const std::vector<std::string> &zones);
+
+    static std::string getName() { return "zoneId"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+    static std::string ctx_key;
+
+private:
+    std::string zone_id;
+};
+
+#endif // __ZONE_EVAL_H__

components/include/generic_rulebase/generic_rulebase.h

@@ -0,0 +1,44 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __GENERIC_RULEBASE_H__
+#define __GENERIC_RULEBASE_H__
+
+#include <memory>
+
+#include "i_generic_rulebase.h"
+#include "i_intelligence_is_v2.h"
+#include "singleton.h"
+#include "component.h"
+
+class GenericRulebase
+        :
+    public Component,
+    Singleton::Provide<I_GenericRulebase>,
+    Singleton::Consume<I_Intelligence_IS_V2>
+{
+public:
+    GenericRulebase();
+    ~GenericRulebase();
+
+    void preload();
+
+    void init();
+    void fini();
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __GENERIC_RULEBASE_H__

components/include/generic_rulebase/generic_rulebase_context.h

@@ -0,0 +1,39 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __GENERIC_RULEBASE_CONTEXT_H__
+#define __GENERIC_RULEBASE_CONTEXT_H__
+
+#include "rulebase_config.h"
+#include "context.h"
+#include "config.h"
+
+enum class RuleRegistrationState {REGISTERED, UNREGISTERED, UNINITIALIZED};
+
+class GenericRulebaseContext
+{
+public:
+    GenericRulebaseContext() : ctx(), registration_state(RuleRegistrationState::UNINITIALIZED) {}
+
+    void activate(const BasicRuleConfig &rule);
+
+    void activate();
+
+    void deactivate() { if (registration_state == RuleRegistrationState::REGISTERED) ctx.deactivate(); }
+
+private:
+    Context ctx;
+    RuleRegistrationState registration_state;
+};
+
+#endif //__GENERIC_RULEBASE_CONTEXT_H__

components/include/generic_rulebase/generic_rulebase_utils.h

@@ -0,0 +1,39 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __GENERIC_RULEBASE_UTILS_H__
+#define __GENERIC_RULEBASE_UTILS_H__
+
+#include <string>
+
+#include "debug.h"
+#include "cereal/archives/json.hpp"
+
+USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
+
+template <typename T>
+void
+parseJSONKey(const std::string &key_name, T &value, cereal::JSONInputArchive &archive_in)
+{
+    try {
+        archive_in(cereal::make_nvp(key_name, value));
+    } catch (const cereal::Exception &e) {
+        dbgDebug(D_RULEBASE_CONFIG)
+            << "Could not parse the required key. Key: "
+            << key_name
+            << ", Error: "
+            << e.what();
+    }
+}
+
+#endif //__GENERIC_RULEBASE_UTILS_H__

components/include/generic_rulebase/match_query.h

@@ -0,0 +1,93 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __MATCH_QUERY_H__
+#define __MATCH_QUERY_H__
+
+#include <vector>
+#include <string>
+#include <set>
+#include <map>
+#include <arpa/inet.h>
+
+#include "cereal/types/string.hpp"
+#include "cereal/types/vector.hpp"
+#include "cereal/archives/json.hpp"
+
+#include <boost/regex.hpp>
+
+#include "c_common/ip_common.h"
+
+class MatchQuery
+{
+public:
+    enum class MatchType { Condition, Operator };
+    enum class Operators { And, Or, None };
+    enum class Conditions { Equals, NotEquals, In, NotIn, Exist, None };
+    enum class StaticKeys
+    {
+        IpAddress,
+        SrcIpAddress,
+        DstIpAddress,
+        SrcPort,
+        ListeningPort,
+        IpProtocol,
+        Domain,
+        NotStatic
+    };
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    MatchType getType() const { return type; }
+    Operators getOperatorType() const { return operator_type; }
+    Conditions getConditionType() const { return condition_type; }
+    const std::string & getKey() const { return key; }
+    const std::set<std::string> & getValue() const { return value; }
+    const std::vector<IPRange> & getIpAddrValue() const { return ip_addr_value; }
+    const std::vector<PortsRange> & getPortValue() const { return port_value; }
+    const std::vector<IpProtoRange> & getProtoValue() const { return ip_proto_value; }
+    const std::vector<MatchQuery> & getItems() const { return items; }
+    std::string getFirstValue() const { return first_value; }
+    bool matchAttributes(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
+    bool matchException(const std::string &behaviorKey, const std::string &behaviorValue) const;
+    bool isKeyTypeIp() const;
+    bool isKeyTypePort() const;
+    bool isKeyTypeProtocol() const;
+    bool isKeyTypeDomain() const;
+    bool isKeyTypeSpecificLabel() const;
+    bool isKeyTypeStatic() const;
+    std::set<std::string> getAllKeys() const;
+
+private:
+    StaticKeys getKeyByName(const std::string &key_type_name);
+    bool matchAttributes(const std::set<std::string> &values) const;
+    bool matchAttributesRegEx(const std::set<std::string> &values) const;
+    bool matchAttributesString(const std::set<std::string> &values) const;
+    bool isRegEx() const;
+
+    MatchType type;
+    Operators operator_type;
+    Conditions condition_type;
+    std::string key;
+    StaticKeys key_type;
+    bool is_specific_label;
+    std::string first_value;
+    std::set<std::string> value;
+    std::set<boost::regex> regex_values;
+    std::vector<IPRange> ip_addr_value;
+    std::vector<PortsRange> port_value;
+    std::vector<IpProtoRange> ip_proto_value;
+    std::vector<MatchQuery> items;
+};
+
+#endif // __MATCH_QUERY_H__

components/include/generic_rulebase/parameters_config.h

@@ -0,0 +1,221 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __PARAMETERS_CONFIG_H__
+#define __PARAMETERS_CONFIG_H__
+
+#include <string>
+#include <vector>
+#include <set>
+#include <unordered_map>
+
+#include "cereal/types/string.hpp"
+#include "cereal/types/vector.hpp"
+#include "cereal/archives/json.hpp"
+#include "generic_rulebase/generic_rulebase_utils.h"
+#include "match_query.h"
+#include "maybe_res.h"
+#include "config.h"
+
+enum class BehaviorKey
+{
+    ACTION,
+    LOG,
+    SOURCE_IDENTIFIER,
+    HTTP_SOURCE_ID,
+    HTTPS_SOURCE_ID
+};
+
+enum class BehaviorValue
+{
+    REJECT,
+    ACCEPT,
+    IGNORE,
+    DROP,
+    X_FORWARDED_FOR,
+    COOKIE_AOUTH2_PROXY,
+    COOKIE_JSESSIONID
+};
+
+static const std::unordered_map<std::string, BehaviorKey> string_to_behavior_key = {
+    { "action", BehaviorKey::ACTION },
+    { "log", BehaviorKey::LOG },
+    { "sourceIdentifier", BehaviorKey::SOURCE_IDENTIFIER },
+    { "httpSourceId", BehaviorKey::HTTP_SOURCE_ID },
+    { "httpsSourceId", BehaviorKey::HTTPS_SOURCE_ID }
+};
+
+static const std::unordered_map<std::string, BehaviorValue> string_to_behavior_val = {
+    { "Cookie:_oauth2_proxy", BehaviorValue::COOKIE_AOUTH2_PROXY },
+    { "Cookie:JSESSIONID", BehaviorValue::COOKIE_JSESSIONID },
+    { "X-Forwarded-For", BehaviorValue::X_FORWARDED_FOR },
+    { "reject", BehaviorValue::REJECT },
+    { "accept", BehaviorValue::ACCEPT },
+    { "ignore", BehaviorValue::IGNORE },
+    { "drop", BehaviorValue::DROP }
+};
+
+class ParameterOverrides
+{
+public:
+    class ParsedBehavior
+    {
+    public:
+        void
+        serialize(cereal::JSONInputArchive &archive_in)
+        {
+            parseJSONKey<std::string>("log", log, archive_in);
+        }
+
+        const std::string & getParsedBehaviorLog() const { return log; }
+
+    private:
+        std::string log;
+    };
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const std::vector<ParsedBehavior> & getParsedBehaviors() const { return parsed_behaviors; }
+
+private:
+    std::vector<ParsedBehavior> parsed_behaviors;
+};
+
+class ParameterTrustedSources
+{
+public:
+    class SourcesIdentifier
+    {
+    public:
+
+        SourcesIdentifier() = default;
+
+        void
+        serialize(cereal::JSONInputArchive &archive_in)
+        {
+            parseJSONKey<std::string>("sourceIdentifier", source_identifier, archive_in);
+            parseJSONKey<std::string>("value", value, archive_in);
+        }
+
+        const std::string & getSourceIdentifier() const {return source_identifier; }
+
+        const std::string & getValue() const {return value; }
+
+    private:
+        std::string source_identifier;
+        std::string value;
+    };
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    uint getNumOfSources() const { return num_of_sources; }
+
+    const std::vector<SourcesIdentifier> & getSourcesIdentifiers() const { return sources_identidiers; }
+
+private:
+    uint num_of_sources;
+    std::vector<SourcesIdentifier> sources_identidiers;
+};
+
+class ParameterBehavior
+{
+public:
+    ParameterBehavior() = default;
+    ParameterBehavior(BehaviorKey &_key, BehaviorValue &_value) : key(_key), value(_value) {}
+    ParameterBehavior(BehaviorKey &&_key, BehaviorValue &&_value)
+            :
+        key(std::move(_key)),
+        value(std::move(_value))
+    {}
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const BehaviorValue & getValue() const { return value; }
+
+    const BehaviorKey & getKey() const { return key; }
+
+    const std::string & getId() const { return id; }
+
+    bool
+    operator<(const ParameterBehavior &other) const {
+        return (key < other.key) || (key == other.key && value < other.value);
+    }
+
+    bool operator==(const ParameterBehavior &other) const { return key == other.key && value == other.value; }
+
+private:
+    std::string id;
+    BehaviorKey key;
+    BehaviorValue value;
+};
+
+class ParameterAntiBot
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+    std::vector<std::string> & getInjected() { return injected; }
+
+    std::vector<std::string> & getValidated() { return validated; }
+
+private:
+    std::vector<std::string> injected;
+    std::vector<std::string> validated;
+};
+
+class ParameterOAS
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const std::string & getValue() const { return value; }
+
+private:
+    std::string value;
+};
+
+class ParameterException
+{
+public:
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<ParameterException>("rulebase", "exception");
+        registerConfigLoadCb([](){ is_geo_location_exception_exists = is_geo_location_exception_being_loaded; });
+        registerConfigPrepareCb([](){ is_geo_location_exception_being_loaded = false; });
+    }
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    std::set<ParameterBehavior>
+    getBehavior(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
+
+    static bool isGeoLocationExceptionExists() { return is_geo_location_exception_exists; }
+
+private:
+    class MatchBehaviorPair
+    {
+    public:
+        void load(cereal::JSONInputArchive &archive_in);
+        MatchQuery match;
+        ParameterBehavior behavior;
+    };
+
+    std::vector<MatchBehaviorPair> match_queries;
+    MatchQuery match;
+    ParameterBehavior behavior;
+    static bool is_geo_location_exception_exists;
+    static bool is_geo_location_exception_being_loaded;
+};
+
+#endif //__PARAMETERS_CONFIG_H__

components/include/generic_rulebase/rulebase_config.h

@@ -0,0 +1,167 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __RULEBASE_CONFIG_H__
+#define __RULEBASE_CONFIG_H__
+
+#include <vector>
+#include <string>
+#include <set>
+#include <unordered_map>
+
+#include "generic_rulebase/generic_rulebase_utils.h"
+#include "environment/evaluator_templates.h"
+#include "cereal/types/string.hpp"
+#include "cereal/types/vector.hpp"
+#include "cereal/archives/json.hpp"
+#include "i_environment.h"
+#include "singleton.h"
+#include "maybe_res.h"
+#include "config.h"
+
+using GenericConfigId = std::string;
+
+class RulePractice
+{
+public:
+    RulePractice() = default;
+
+    RulePractice(GenericConfigId &_id, std::string &_name) : practice_id(_id), practice_name(_name) {};
+
+    void
+    serialize(cereal::JSONInputArchive &ar)
+    {
+        parseJSONKey<GenericConfigId>("practiceId", practice_id, ar);
+        parseJSONKey<std::string>("practiceName", practice_name, ar);
+    }
+
+    const GenericConfigId getId() const { return practice_id; }
+
+    const std::string getName() const { return practice_name; }
+
+    bool
+    operator==(const RulePractice &other) const
+    {
+        return practice_id == other.getId() && practice_name == other.getName();
+    }
+
+private:
+    GenericConfigId practice_id;
+    std::string practice_name;
+};
+
+class RuleTrigger
+{
+public:
+    void
+    serialize(cereal::JSONInputArchive &ar)
+    {
+        parseJSONKey<GenericConfigId>("triggerId", trigger_id, ar);
+        parseJSONKey<std::string>("triggerType", trigger_type, ar);
+        parseJSONKey<std::string>("triggerName", trigger_name, ar);
+    }
+
+    const GenericConfigId getId() const { return trigger_id; }
+
+    const std::string getType() const { return trigger_type; }
+
+    const std::string getName() const { return trigger_name; }
+
+private:
+    GenericConfigId trigger_id;
+    std::string trigger_type;
+    std::string trigger_name;
+};
+
+class RuleParameter
+{
+public:
+    void
+    serialize(cereal::JSONInputArchive &ar)
+    {
+        parseJSONKey<GenericConfigId>("parameterId", parameter_id, ar);
+        parseJSONKey<std::string>("parameterType", parameter_type, ar);
+        parseJSONKey<std::string>("parameterName", parameter_name, ar);
+    }
+
+    const GenericConfigId getId() const { return parameter_id; }
+
+    const std::string getType() const { return parameter_type; }
+
+    const std::string getName() const { return parameter_name; }
+
+private:
+    GenericConfigId parameter_id;
+    std::string parameter_type;
+    std::string parameter_name;
+};
+
+class BasicRuleConfig
+{
+public:
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
+        registerExpectedSetting<std::vector<BasicRuleConfig>>("rulebase", "rulesConfig");
+        registerConfigLoadCb(BasicRuleConfig::updateCountMetric);
+        registerConfigPrepareCb([](){ BasicRuleConfig::assets_ids_aggregation.clear(); });
+    }
+
+    void load(cereal::JSONInputArchive &ar);
+
+    static void updateCountMetric();
+
+    bool isPracticeActive(const GenericConfigId &practice_id) const;
+
+    bool isTriggerActive(const GenericConfigId &trigger_id) const;
+
+    bool isParameterActive(const GenericConfigId &parameter_id) const;
+
+    uint8_t getPriority() const { return priority; }
+
+    const GenericConfigId & getRuleId() const { return rule_id; }
+
+    const std::string & getRuleName() const { return rule_name; }
+
+    const GenericConfigId & getAssetId() const { return asset_id; }
+
+    const std::string & getAssetName() const { return asset_name; }
+
+    const GenericConfigId & getZoneId() const { return zone_id; }
+
+    const std::string & getZoneName() const { return zone_name; }
+
+    const std::vector<RulePractice> & getPractices() const { return practices; }
+
+    const std::vector<RuleTrigger> & getTriggers() const { return triggers; }
+
+    const std::vector<RuleParameter> & getParameters() const { return parameters; }
+
+private:
+    uint8_t priority = 0;
+    GenericConfigId rule_id = "";
+    std::string rule_name;
+    GenericConfigId asset_id;
+    std::string asset_name;
+    GenericConfigId zone_id;
+    std::string zone_name;
+    std::vector<RulePractice> practices;
+    std::vector<RuleTrigger> triggers;
+    std::vector<RuleParameter> parameters;
+
+    static std::set<std::string> assets_ids;
+    static std::set<std::string> assets_ids_aggregation;
+};
+
+#endif // __RULEBASE_CONFIG_H__

components/include/generic_rulebase/triggers_config.h

@@ -0,0 +1,174 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __TRIGGERS_CONFIG_H__
+#define __TRIGGERS_CONFIG_H__
+
+#include <vector>
+#include <string>
+
+#include "environment/evaluator_templates.h"
+#include "cereal/types/string.hpp"
+#include "cereal/types/vector.hpp"
+#include "cereal/archives/json.hpp"
+#include "i_environment.h"
+#include "i_logging.h"
+#include "singleton.h"
+#include "maybe_res.h"
+#include "config.h"
+#include "log_generator.h"
+#include "generic_rulebase_utils.h"
+
+class WebTriggerConf
+{
+public:
+    WebTriggerConf();
+    WebTriggerConf(const std::string &title, const std::string &body, uint code);
+
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<WebTriggerConf>("rulebase", "webUserResponse");
+    }
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    bool operator==(const WebTriggerConf &other) const;
+
+    uint getResponseCode() const { return response_code; }
+
+    const std::string & getResponseTitle() const { return response_title; }
+
+    const std::string & getResponseBody() const { return response_body; }
+
+    const std::string & getDetailsLevel() const { return details_level; }
+
+    const std::string & getRedirectURL() const { return redirect_url; }
+
+    bool getAddEventId() const { return add_event_id_to_header; }
+
+    static WebTriggerConf default_trigger_conf;
+
+private:
+    std::string response_title;
+    std::string details_level;
+    std::string response_body;
+    std::string redirect_url;
+    uint        response_code;
+    bool        add_event_id_to_header = false;
+};
+
+class LogTriggerConf : Singleton::Consume<I_Logging>
+{
+public:
+    enum class SecurityType { AccessControl, ThreatPrevention, Compliance, COUNT };
+    enum class extendLoggingSeverity { None, High, Critical };
+
+    enum class WebLogFields {
+        webBody,
+        webHeaders,
+        webRequests,
+        webUrlPath,
+        webUrlQuery,
+        responseBody,
+        responseCode,
+        COUNT
+    };
+
+    LogTriggerConf() {}
+
+    LogTriggerConf(std::string trigger_name, bool log_detect, bool log_prevent);
+
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<LogTriggerConf>("rulebase", "log");
+    }
+
+    template <typename ...Tags>
+    LogGen
+    operator()(
+        const std::string &title,
+        SecurityType security,
+        ReportIS::Severity severity,
+        ReportIS::Priority priority,
+        bool is_action_drop_or_prevent,
+        Tags ...tags) const
+    {
+        return LogGen(
+            title,
+            ReportIS::Level::LOG,
+            ReportIS::Audience::SECURITY,
+            severity,
+            priority,
+            std::forward<Tags>(tags)...,
+            getStreams(security, is_action_drop_or_prevent),
+            getEnrechments(security)
+        );
+    }
+
+    template <typename ...Tags>
+    LogGen
+    operator()(const std::string &title, SecurityType security, bool is_action_drop_or_prevent, Tags ...tags) const
+    {
+        return (*this)(
+            title,
+            security,
+            getSeverity(is_action_drop_or_prevent),
+            getPriority(is_action_drop_or_prevent),
+            is_action_drop_or_prevent,
+            std::forward<Tags>(tags)...
+        );
+    }
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    bool isWebLogFieldActive(WebLogFields log_field) const { return log_web_fields.isSet(log_field); }
+
+    bool isLogStreamActive(ReportIS::StreamType stream_type) const { return active_streams.isSet(stream_type); }
+
+    bool isPreventLogActive(SecurityType security_type) const { return should_log_on_prevent.isSet(security_type); }
+
+    bool isDetectLogActive(SecurityType security_type) const { return should_log_on_detect.isSet(security_type); }
+
+    bool isLogGeoLocationActive(SecurityType security_type) const { return log_geo_location.isSet(security_type); }
+
+    extendLoggingSeverity getExtendLoggingSeverity() const { return extend_logging_severity; }
+
+    const std::string & getVerbosity() const { return verbosity; }
+    const std::string & getName() const { return name; }
+
+    const std::string & getUrlForSyslog() const { return url_for_syslog; }
+    const std::string & getUrlForCef() const { return url_for_cef; }
+
+private:
+    ReportIS::Severity getSeverity(bool is_action_drop_or_prevent) const;
+    ReportIS::Priority getPriority(bool is_action_drop_or_prevent) const;
+
+    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
+    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
+
+    std::string name;
+    std::string verbosity;
+    std::string url_for_syslog = "";
+    std::string url_for_cef = "";
+    Flags<ReportIS::StreamType> active_streams;
+    Flags<SecurityType> should_log_on_detect;
+    Flags<SecurityType> should_log_on_prevent;
+    Flags<SecurityType> log_geo_location;
+    Flags<WebLogFields> log_web_fields;
+    extendLoggingSeverity extend_logging_severity = extendLoggingSeverity::None;
+    bool should_format_output = false;
+};
+
+#endif //__TRIGGERS_CONFIG_H__

components/include/generic_rulebase/zone.h

@@ -0,0 +1,55 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ZONE_H__
+#define __ZONE_H__
+
+#include <vector>
+#include <string>
+#include <set>
+#include <arpa/inet.h>
+
+#include "generic_rulebase_context.h"
+#include "match_query.h"
+#include "i_environment.h"
+#include "i_intelligence_is_v2.h"
+#include "asset.h"
+
+class Zone : Singleton::Consume<I_Intelligence_IS_V2>, Singleton::Consume<I_Environment>
+{
+    using AttrData = std::unordered_map<std::string, std::set<std::string>>;
+
+public:
+    enum class Direction { To, From, Bidirectional };
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    bool contains(const Asset &asset);
+
+    GenericConfigId getId() const { return zone_id; }
+    const std::string & getName() const { return zone_name; }
+    const std::vector<std::pair<Direction, GenericConfigId>> & getAdjacentZones() const { return adjacent_zones; }
+    const MatchQuery & getMatchQuery() const { return match_query; }
+    bool isAnyZone() const { return is_any; }
+
+private:
+    bool matchAttributes(const AttrData &data);
+
+    GenericConfigId zone_id;
+    std::string zone_name;
+    std::vector<std::pair<Direction, GenericConfigId>> adjacent_zones;
+    MatchQuery match_query;
+    bool is_any;
+};
+
+#endif // __ZONE_H__

components/include/generic_rulebase/zones_config.h

@@ -0,0 +1,53 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ZONES_CONFIG_H__
+#define __ZONES_CONFIG_H__
+
+#include <vector>
+#include <string>
+#include <set>
+#include <arpa/inet.h>
+
+#include "generic_rulebase_context.h"
+#include "match_query.h"
+#include "i_generic_rulebase.h"
+#include "zone.h"
+
+class Zones
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in)
+    {
+        cereal::load(archive_in, zones);
+    }
+
+    const std::vector<Zone> & getZones() const { return zones; }
+
+    std::vector<Zone> zones;
+};
+
+class ZonesConfig : Singleton::Consume<I_GenericRulebase>
+{
+public:
+    static void preload();
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const std::vector<Zone> & getZones() const { return zones; }
+
+private:
+    std::vector<Zone> zones;
+};
+
+#endif //__ZONES_CONFIG_H__