Jan 06 2026 dev (#387)

* sync code

* update code to support brotli

* update code to support brotli

* update code to support brotli

* sync code

* fix findBrotli

* sync code

* sync code

* sync code

* sync code

---------

Co-authored-by: Ned Wright <nedwright@proton.me>
Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>

components/include/generic_rulebase/match_query.h

@@ -68,8 +68,12 @@ public:
     const std::vector<IpProtoRange> & getProtoValue() const { return ip_proto_value; }
     const std::vector<MatchQuery> & getItems() const { return items; }
     std::string getFirstValue() const { return first_value; }
-    MatchResult getMatch(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
-    bool matchAttributes(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
+    MatchResult getMatch(
+        const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+        bool skip_irrelevant_key = false) const;
+    bool matchAttributes(
+        const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+        bool skip_irrelevant_key = false) const;
     bool matchException(const std::string &behaviorKey, const std::string &behaviorValue) const;
     bool isKeyTypeIp() const;
     bool isKeyTypePort() const;
@@ -82,7 +86,8 @@ public:
 private:
     bool matchAttributes(
             const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
-            std::set<std::string> &matched_override_keywords) const;
+            std::set<std::string> &matched_override_keywords,
+            bool skip_irrelevant_key = false) const;
     StaticKeys getKeyByName(const std::string &key_type_name);
     bool matchAttributes(const std::set<std::string> &values,
             std::set<std::string> &matched_override_keywords) const;

components/include/generic_rulebase/parameters_config.h

@@ -190,7 +190,7 @@ public:
     static void
     preload()
     {
-        registerExpectedConfiguration<ParameterException>("rulebase", "exception");
+        registerExpectedConfigurationWithCache<ParameterException>("assetId", "rulebase", "exception");
         registerConfigLoadCb([](){ is_geo_location_exception_exists = is_geo_location_exception_being_loaded; });
         registerConfigPrepareCb([](){ is_geo_location_exception_being_loaded = false; });
     }
@@ -198,14 +198,20 @@ public:
     void load(cereal::JSONInputArchive &archive_in);
 
     std::set<ParameterBehavior>
-    getBehavior(const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs) const;
+    getBehavior(
+        const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+        bool skip_irrelevant_key = false) const;
 
     std::set<ParameterBehavior>
     getBehavior(
-            const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
-            std::set<std::string> &matched_override_keywords) const;
+        const std::unordered_map<std::string, std::set<std::string>> &key_value_pairs,
+        std::set<std::string> &matched_override_keywords,
+        bool skip_irrelevant_key = false) const;
 
     static bool isGeoLocationExceptionExists() { return is_geo_location_exception_exists; }
+    const MatchQuery& getMatch() const { return match; }
+    bool isContainingKVPair() const { return is_containing_kv_pair; }
+    bool checkKVPair() const;
 
 private:
     class MatchBehaviorPair
@@ -221,6 +227,7 @@ private:
     ParameterBehavior behavior;
     static bool is_geo_location_exception_exists;
     static bool is_geo_location_exception_being_loaded;
+    bool is_containing_kv_pair;
 };
 
 static const ParameterBehavior action_ignore(BehaviorKey::ACTION, BehaviorValue::IGNORE);

components/include/generic_rulebase/rulebase_config.h

@@ -112,7 +112,7 @@ public:
     static void
     preload()
     {
-        registerExpectedConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
+        registerExpectedConfigurationWithCache<BasicRuleConfig>("assetId", "rulebase", "rulesConfig");
         registerExpectedSetting<std::vector<BasicRuleConfig>>("rulebase", "rulesConfig");
         registerConfigLoadCb(BasicRuleConfig::updateCountMetric);
         registerConfigPrepareCb([](){ BasicRuleConfig::assets_ids_aggregation.clear(); });

components/include/generic_rulebase/triggers_config.h

@@ -52,7 +52,7 @@ public:
     static void
     preload()
     {
-        registerExpectedConfiguration<WebTriggerConf>("rulebase", "webUserResponse");
+        registerExpectedConfigurationWithCache<WebTriggerConf>("triggerId", "rulebase", "webUserResponse");
     }
 
     /// \brief Load function to deserialize configuration from JSONInputArchive.
@@ -104,6 +104,14 @@ public:
         return redirect_url;
     }
 
+    /// \brief Get the content type for the trigger.
+    /// \return The content type for the trigger.
+    const std::string &
+    getContentType() const
+    {
+        return content_type;
+    }
+
     /// \brief Check if the trigger should add an event ID to the header.
     /// \return True if the trigger should add an event ID, otherwise false.
     bool
@@ -120,6 +128,7 @@ private:
     std::string details_level;
     std::string response_body;
     std::string redirect_url;
+    std::string content_type;
     uint response_code;
     bool add_event_id_to_header = false;
 };
@@ -175,7 +184,8 @@ public:
     static void
     preload()
     {
-        registerExpectedConfiguration<LogTriggerConf>("rulebase", "log");
+        //registerExpectedConfiguration<LogTriggerConf>("rulebase", "log");
+        registerExpectedConfigurationWithCache<LogTriggerConf>("triggerId", "rulebase", "log");
     }
 
     /// \brief LogGen operator for LogTriggerConf.
@@ -260,6 +270,15 @@ public:
         return should_log_on_prevent.isSet(security_type);
     }
 
+    /// \brief Check if should ignore exception log for the given security type.
+    /// \param security_type The security type to check.
+    /// \return True if should ignore exception, otherwise false.
+    bool
+    shouldIgnoreExceptionLog(SecurityType security_type) const
+    {
+        return should_log_exception.isSet(security_type);
+    }
+
     /// \brief Check if the log is active on detect for the given security type.
     /// \param security_type The security type to check.
     /// \return True if the log is active on detect, otherwise false.
@@ -333,6 +352,7 @@ private:
     Flags<ReportIS::StreamType> active_streams;
     Flags<SecurityType> should_log_on_detect;
     Flags<SecurityType> should_log_on_prevent;
+    Flags<SecurityType> should_log_exception;
     Flags<SecurityType> log_geo_location;
     Flags<WebLogFields> log_web_fields;
     extendLoggingSeverity extend_logging_severity = extendLoggingSeverity::None;
@@ -349,7 +369,7 @@ public:
     static void
     preload()
     {
-        registerExpectedConfiguration<ReportTriggerConf>("rulebase", "report");
+        registerExpectedConfigurationWithCache<ReportTriggerConf>("triggerId", "rulebase", "report");
     }
 
     /// \brief Load function to deserialize configuration from JSONInputArchive.