2014-08-22 14:39:17 -04:00
|
|
|
/*
|
|
|
|
|
* Support for matcher using PCRE
|
|
|
|
|
*
|
2017-12-21 14:39:01 -05:00
|
|
|
* Copyright (C) 2015, 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2014-08-22 14:39:17 -04:00
|
|
|
* Copyright (C) 2007-2013 Sourcefire, Inc.
|
|
|
|
|
* All Rights Reserved.
|
|
|
|
|
*
|
|
|
|
|
* Authors: Kevin Lin
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include "clamav.h"
|
|
|
|
|
#include "cltypes.h"
|
2014-09-15 18:10:11 -04:00
|
|
|
#include "dconf.h"
|
2014-09-16 15:56:56 -04:00
|
|
|
#include "events.h"
|
2014-08-22 14:39:17 -04:00
|
|
|
#include "others.h"
|
2014-09-09 17:14:12 -04:00
|
|
|
#include "matcher.h"
|
2014-09-23 13:31:47 -04:00
|
|
|
#include "matcher-ac.h"
|
2014-08-22 14:39:17 -04:00
|
|
|
#include "matcher-pcre.h"
|
|
|
|
|
#include "mpool.h"
|
2015-06-01 14:32:04 -04:00
|
|
|
#include "readdb.h"
|
2014-08-22 14:39:17 -04:00
|
|
|
#include "regex_pcre.h"
|
2018-08-15 17:04:25 -04:00
|
|
|
#include "str.h"
|
2014-08-22 14:39:17 -04:00
|
|
|
|
2014-09-18 14:10:12 -04:00
|
|
|
#if HAVE_PCRE
|
2016-02-08 11:28:42 -05:00
|
|
|
#if USING_PCRE2
|
|
|
|
|
#define PCRE2_CODE_UNIT_WIDTH 8
|
|
|
|
|
#include <pcre2.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <pcre.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
/* DEBUGGING */
|
|
|
|
|
//#define MATCHER_PCRE_DEBUG
|
|
|
|
|
#ifdef MATCHER_PCRE_DEBUG
|
|
|
|
|
# define pm_dbgmsg(...) cli_dbgmsg( __VA_ARGS__)
|
|
|
|
|
#else
|
|
|
|
|
# define pm_dbgmsg(...)
|
|
|
|
|
#endif
|
|
|
|
|
#undef MATCHER_PCRE_DEBUG
|
|
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
/* PERFORMANCE MACROS AND FUNCTIONS */
|
|
|
|
|
#define MAX_TRACKED_PCRE 64
|
|
|
|
|
#define PCRE_EVENTS_PER_SIG 2
|
|
|
|
|
#define MAX_PCRE_SIGEVENT_ID MAX_TRACKED_PCRE*PCRE_EVENTS_PER_SIG
|
|
|
|
|
|
2014-09-11 12:27:52 -04:00
|
|
|
cli_events_t *p_sigevents = NULL;
|
2014-09-16 15:56:56 -04:00
|
|
|
unsigned int p_sigid = 0;
|
|
|
|
|
|
2014-10-27 15:53:41 -04:00
|
|
|
static void pcre_perf_events_init(struct cli_pcre_meta *pm, const char *virname)
|
2014-09-16 15:56:56 -04:00
|
|
|
{
|
|
|
|
|
int ret;
|
2015-08-17 16:59:09 -04:00
|
|
|
size_t namelen;
|
2014-09-16 15:56:56 -04:00
|
|
|
|
|
|
|
|
if (!p_sigevents) {
|
|
|
|
|
p_sigevents = cli_events_new(MAX_PCRE_SIGEVENT_ID);
|
|
|
|
|
if (!p_sigevents) {
|
|
|
|
|
cli_errmsg("pcre_perf: no memory for events table\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p_sigid > MAX_PCRE_SIGEVENT_ID - PCRE_EVENTS_PER_SIG - 1) {
|
|
|
|
|
cli_errmsg("pcre_perf: events table full. Increase MAX_TRACKED_PCRE\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-17 16:59:09 -04:00
|
|
|
if (!virname) {
|
2014-10-27 15:53:41 -04:00
|
|
|
virname = "(null)";
|
2015-08-17 16:59:09 -04:00
|
|
|
namelen = 7;
|
|
|
|
|
} else {
|
|
|
|
|
namelen = strlen(virname)+strlen(pm->pdata.expression)+3;
|
|
|
|
|
}
|
2014-10-27 15:53:41 -04:00
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
/* set the name */
|
2015-06-01 14:32:04 -04:00
|
|
|
pm->statname = (char*)cli_calloc(1, namelen);
|
2014-10-27 15:53:41 -04:00
|
|
|
if (!pm->statname) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
snprintf(pm->statname, namelen, "%s/%s/", virname, pm->pdata.expression);
|
2014-09-16 15:56:56 -04:00
|
|
|
|
2014-10-27 15:53:41 -04:00
|
|
|
pm_dbgmsg("pcre_perf: adding sig ids starting %u for %s\n", p_sigid, pm->statname);
|
2014-09-16 15:56:56 -04:00
|
|
|
|
|
|
|
|
/* register time event */
|
|
|
|
|
pm->sigtime_id = p_sigid;
|
2014-10-27 15:53:41 -04:00
|
|
|
ret = cli_event_define(p_sigevents, p_sigid++, pm->statname, ev_time, multiple_sum);
|
2014-09-16 15:56:56 -04:00
|
|
|
if (ret) {
|
|
|
|
|
cli_errmsg("pcre_perf: cli_event_define() error for time event id %d\n", pm->sigtime_id);
|
|
|
|
|
pm->sigtime_id = MAX_PCRE_SIGEVENT_ID+1;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* register match count */
|
|
|
|
|
pm->sigmatch_id = p_sigid;
|
2014-10-27 15:53:41 -04:00
|
|
|
ret = cli_event_define(p_sigevents, p_sigid++, pm->statname, ev_int, multiple_sum);
|
2014-09-16 15:56:56 -04:00
|
|
|
if (ret) {
|
|
|
|
|
cli_errmsg("pcre_perf: cli_event_define() error for matches event id %d\n", pm->sigmatch_id);
|
|
|
|
|
pm->sigmatch_id = MAX_PCRE_SIGEVENT_ID+1;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct sigperf_elem {
|
|
|
|
|
const char * name;
|
|
|
|
|
uint64_t usecs;
|
|
|
|
|
unsigned long run_count;
|
|
|
|
|
unsigned long match_count;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int sigelem_comp(const void * a, const void * b)
|
|
|
|
|
{
|
2015-06-01 14:32:04 -04:00
|
|
|
const struct sigperf_elem *ela = (const struct sigperf_elem *)a;
|
|
|
|
|
const struct sigperf_elem *elb = (const struct sigperf_elem *)b;
|
2014-09-16 15:56:56 -04:00
|
|
|
return elb->usecs/elb->run_count - ela->usecs/ela->run_count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cli_pcre_perf_print()
|
|
|
|
|
{
|
|
|
|
|
struct sigperf_elem stats[MAX_TRACKED_PCRE], *elem = stats;
|
|
|
|
|
int i, elems = 0, max_name_len = 0, name_len;
|
|
|
|
|
|
|
|
|
|
if (!p_sigid || !p_sigevents) {
|
|
|
|
|
cli_warnmsg("cli_pcre_perf_print: statistics requested but no PCREs were loaded!\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(stats, 0, sizeof(stats));
|
|
|
|
|
for (i=0;i<MAX_TRACKED_PCRE;i++) {
|
|
|
|
|
union ev_val val;
|
|
|
|
|
uint32_t count;
|
|
|
|
|
const char * name = cli_event_get_name(p_sigevents, i*PCRE_EVENTS_PER_SIG);
|
|
|
|
|
cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG, &val, &count);
|
|
|
|
|
if (!count) {
|
|
|
|
|
if (name)
|
|
|
|
|
cli_dbgmsg("No event triggered for %s\n", name);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (name)
|
|
|
|
|
name_len = strlen(name);
|
|
|
|
|
else
|
|
|
|
|
name_len = 0;
|
|
|
|
|
if (name_len > max_name_len)
|
|
|
|
|
max_name_len = name_len;
|
|
|
|
|
elem->name = name?name:"\"noname\"";
|
|
|
|
|
elem->usecs = val.v_int;
|
|
|
|
|
elem->run_count = count;
|
|
|
|
|
cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG+1, &val, &count);
|
|
|
|
|
elem->match_count = count;
|
|
|
|
|
elem++;
|
|
|
|
|
elems++;
|
|
|
|
|
}
|
2014-10-22 17:56:49 -04:00
|
|
|
if (max_name_len < strlen("PCRE Expression"))
|
|
|
|
|
max_name_len = strlen("PCRE Expression");
|
2014-09-11 12:27:52 -04:00
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
cli_qsort(stats, elems, sizeof(struct sigperf_elem), sigelem_comp);
|
|
|
|
|
|
|
|
|
|
elem = stats;
|
|
|
|
|
/* name runs matches microsecs avg */
|
|
|
|
|
cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "PCRE Expression",
|
|
|
|
|
8, "#runs", 8, "#matches", 12, "usecs total", 9, "usecs avg");
|
|
|
|
|
cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "===============",
|
|
|
|
|
8, "=====", 8, "========", 12, "===========", 9, "=========");
|
|
|
|
|
while (elem->run_count) {
|
|
|
|
|
cli_infomsg (NULL, "%-*s %*lu %*lu %*llu %*.2f\n", max_name_len, elem->name,
|
|
|
|
|
8, elem->run_count, 8, elem->match_count,
|
2016-02-22 13:26:15 -05:00
|
|
|
12, (long long unsigned)elem->usecs, 9, (double)elem->usecs/elem->run_count);
|
2014-09-16 15:56:56 -04:00
|
|
|
elem++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void cli_pcre_perf_events_destroy()
|
|
|
|
|
{
|
|
|
|
|
cli_events_free(p_sigevents);
|
|
|
|
|
p_sigid = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* PCRE MATCHER FUNCTIONS */
|
2015-08-21 12:43:26 -04:00
|
|
|
int cli_pcre_init()
|
|
|
|
|
{
|
|
|
|
|
return cli_pcre_init_internal();
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-09 13:23:29 -04:00
|
|
|
int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *trigger, const char *pattern, const char *cflags, const char *offset, const uint32_t *lsigid, unsigned int options)
|
2014-08-29 14:57:09 -04:00
|
|
|
{
|
|
|
|
|
struct cli_pcre_meta **newmetatable = NULL, *pm = NULL;
|
|
|
|
|
uint32_t pcre_count;
|
2014-09-02 17:22:22 -04:00
|
|
|
const char *opt;
|
2014-09-16 15:56:56 -04:00
|
|
|
int ret = CL_SUCCESS, rssigs;
|
2014-08-29 14:57:09 -04:00
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
if (!root || !trigger || !pattern || !offset) {
|
2014-09-16 17:54:58 -04:00
|
|
|
cli_errmsg("cli_pcre_addpatt: NULL root or NULL trigger or NULL pattern or NULL offset\n");
|
2014-08-29 14:57:09 -04:00
|
|
|
return CL_ENULLARG;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-18 13:54:57 -04:00
|
|
|
/* TODO: trigger and regex checking (backreference limitations?) (control pattern limitations?) */
|
2014-09-17 11:37:13 -04:00
|
|
|
/* cli_ac_chklsig will fail a empty trigger; empty patterns can cause an infinite loop */
|
|
|
|
|
if (*trigger == '\0' || *pattern == '\0') {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: trigger or pattern cannot be an empty string\n");
|
|
|
|
|
return CL_EMALFDB;
|
|
|
|
|
}
|
2014-09-17 16:37:14 -04:00
|
|
|
if (cflags && *cflags == '\0') {
|
|
|
|
|
cflags = NULL;
|
|
|
|
|
}
|
2014-09-17 11:37:13 -04:00
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
if (lsigid)
|
2014-09-18 21:03:09 -04:00
|
|
|
pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) as subsig %d for lsigid %d\n",
|
|
|
|
|
pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger, lsigid[1], lsigid[0]);
|
2014-09-16 17:54:58 -04:00
|
|
|
else
|
|
|
|
|
pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) [no lsigid]\n",
|
2014-09-18 21:03:09 -04:00
|
|
|
pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger);
|
2014-09-16 17:54:58 -04:00
|
|
|
|
2014-10-09 11:58:16 -04:00
|
|
|
#ifdef PCRE_BYPASS
|
|
|
|
|
/* check for trigger bypass */
|
|
|
|
|
if (strcmp(trigger, PCRE_BYPASS)) {
|
|
|
|
|
#endif
|
|
|
|
|
/* validate the lsig trigger */
|
|
|
|
|
rssigs = cli_ac_chklsig(trigger, trigger + strlen(trigger), NULL, NULL, NULL, 1);
|
|
|
|
|
if(rssigs == -1) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: regex subsig /%s/ is missing a valid logical trigger\n", pattern);
|
2014-09-11 12:27:52 -04:00
|
|
|
return CL_EMALFDB;
|
|
|
|
|
}
|
2014-10-09 11:58:16 -04:00
|
|
|
|
|
|
|
|
if (lsigid) {
|
|
|
|
|
if (rssigs > lsigid[1]) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger refers to subsequent subsig %d\n", lsigid[1], rssigs);
|
|
|
|
|
return CL_EMALFDB;
|
|
|
|
|
}
|
|
|
|
|
if (rssigs == lsigid[1]) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger is self-referential\n", lsigid[1]);
|
|
|
|
|
return CL_EMALFDB;
|
|
|
|
|
}
|
2014-09-11 12:27:52 -04:00
|
|
|
}
|
2014-10-09 11:58:16 -04:00
|
|
|
else {
|
|
|
|
|
cli_dbgmsg("cli_pcre_addpatt: regex subsig is missing lsigid data\n");
|
|
|
|
|
}
|
|
|
|
|
#ifdef PCRE_BYPASS
|
2014-09-03 16:17:41 -04:00
|
|
|
}
|
2014-10-09 11:58:16 -04:00
|
|
|
#endif
|
2014-08-29 14:57:09 -04:00
|
|
|
|
|
|
|
|
/* allocating entries */
|
|
|
|
|
pm = (struct cli_pcre_meta *)mpool_calloc(root->mempool, 1, sizeof(*pm));
|
|
|
|
|
if (!pm) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 14:11:09 -04:00
|
|
|
pm->trigger = cli_mpool_strdup(root->mempool, trigger);
|
2014-08-29 14:57:09 -04:00
|
|
|
if (!pm->trigger) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for trigger string\n");
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-08-29 14:57:09 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-23 14:11:09 -04:00
|
|
|
pm->virname = (char *)cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL);
|
2014-10-09 13:23:29 -04:00
|
|
|
if(!pm->virname) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for virname or NULL virname\n");
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-08-29 14:57:09 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-11 12:27:52 -04:00
|
|
|
if (lsigid) {
|
2014-10-09 13:23:29 -04:00
|
|
|
root->ac_lsigtable[lsigid[0]]->virname = pm->virname;
|
|
|
|
|
|
2014-09-11 12:27:52 -04:00
|
|
|
pm->lsigid[0] = 1;
|
|
|
|
|
pm->lsigid[1] = lsigid[0];
|
|
|
|
|
pm->lsigid[2] = lsigid[1];
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
/* sigtool */
|
|
|
|
|
pm->lsigid[0] = 0;
|
|
|
|
|
}
|
2014-08-29 14:57:09 -04:00
|
|
|
|
2014-10-09 13:23:29 -04:00
|
|
|
pm->pdata.expression = strdup(pattern);
|
|
|
|
|
if (!pm->pdata.expression) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for expression\n");
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-10-09 13:23:29 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* offset parsing and usage, similar to cli_ac_addsig */
|
2014-09-16 17:54:58 -04:00
|
|
|
/* relative and type-specific offsets handled during scan */
|
2014-09-09 17:14:12 -04:00
|
|
|
ret = cli_caloff(offset, NULL, root->type, pm->offdata, &(pm->offset_min), &(pm->offset_max));
|
|
|
|
|
if (ret != CL_SUCCESS) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: cannot calculate offset data: %s for pattern: %s\n", offset, pattern);
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-09-09 17:14:12 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
if(pm->offdata[0] != CLI_OFF_ANY) {
|
|
|
|
|
if(pm->offdata[0] == CLI_OFF_ABSOLUTE)
|
|
|
|
|
root->pcre_absoff_num++;
|
|
|
|
|
else
|
|
|
|
|
root->pcre_reloff_num++;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-02 17:22:22 -04:00
|
|
|
/* parse and add options, also totally not from snort */
|
|
|
|
|
if (cflags) {
|
|
|
|
|
opt = cflags;
|
|
|
|
|
|
|
|
|
|
/* cli_pcre_addoptions handles pcre specific options */
|
|
|
|
|
while (cli_pcre_addoptions(&(pm->pdata), &opt, 0) != CL_SUCCESS) {
|
2018-09-21 16:49:38 -04:00
|
|
|
/* it will return here to handle any matcher specific options */
|
2014-09-02 17:22:22 -04:00
|
|
|
switch (*opt) {
|
2014-09-03 00:27:15 -04:00
|
|
|
case 'g': pm->flags |= CLI_PCRE_GLOBAL; break;
|
2014-10-27 16:48:34 -04:00
|
|
|
case 'r': pm->flags |= CLI_PCRE_ROLLING; break;
|
2014-09-09 17:14:12 -04:00
|
|
|
case 'e': pm->flags |= CLI_PCRE_ENCOMPASS; break;
|
2014-09-02 17:22:22 -04:00
|
|
|
default:
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: unknown/extra pcre option encountered %c\n", *opt);
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-09-02 17:22:22 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return CL_EMALFDB;
|
|
|
|
|
}
|
|
|
|
|
opt++;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
if (pm->flags) {
|
2014-10-27 17:44:16 -04:00
|
|
|
pm_dbgmsg("Matcher: %s%s%s\n",
|
2014-10-27 16:48:34 -04:00
|
|
|
pm->flags & CLI_PCRE_GLOBAL ? "CLAMAV_GLOBAL " : "",
|
|
|
|
|
pm->flags & CLI_PCRE_ROLLING ? "CLAMAV_ROLLING " : "",
|
2014-09-16 17:54:58 -04:00
|
|
|
pm->flags & CLI_PCRE_ENCOMPASS ? "CLAMAV_ENCOMPASS " : "");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
pm_dbgmsg("Matcher: NONE\n");
|
|
|
|
|
|
|
|
|
|
if (pm->pdata.options) {
|
2016-02-08 11:28:42 -05:00
|
|
|
#if USING_PCRE2
|
|
|
|
|
pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n",
|
|
|
|
|
pm->pdata.options & PCRE2_CASELESS ? "PCRE2_CASELESS " : "",
|
|
|
|
|
pm->pdata.options & PCRE2_DOTALL ? "PCRE2_DOTALL " : "",
|
|
|
|
|
pm->pdata.options & PCRE2_MULTILINE ? "PCRE2_MULTILINE " : "",
|
|
|
|
|
pm->pdata.options & PCRE2_EXTENDED ? "PCRE2_EXTENDED " : "",
|
|
|
|
|
|
|
|
|
|
pm->pdata.options & PCRE2_ANCHORED ? "PCRE2_ANCHORED " : "",
|
|
|
|
|
pm->pdata.options & PCRE2_DOLLAR_ENDONLY ? "PCRE2_DOLLAR_ENDONLY " : "",
|
|
|
|
|
pm->pdata.options & PCRE2_UNGREEDY ? "PCRE2_UNGREEDY " : "");
|
|
|
|
|
#else
|
2014-09-16 17:54:58 -04:00
|
|
|
pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n",
|
|
|
|
|
pm->pdata.options & PCRE_CASELESS ? "PCRE_CASELESS " : "",
|
|
|
|
|
pm->pdata.options & PCRE_DOTALL ? "PCRE_DOTALL " : "",
|
|
|
|
|
pm->pdata.options & PCRE_MULTILINE ? "PCRE_MULTILINE " : "",
|
|
|
|
|
pm->pdata.options & PCRE_EXTENDED ? "PCRE_EXTENDED " : "",
|
|
|
|
|
|
|
|
|
|
pm->pdata.options & PCRE_ANCHORED ? "PCRE_ANCHORED " : "",
|
|
|
|
|
pm->pdata.options & PCRE_DOLLAR_ENDONLY ? "PCRE_DOLLAR_ENDONLY " : "",
|
|
|
|
|
pm->pdata.options & PCRE_UNGREEDY ? "PCRE_UNGREEDY " : "");
|
2016-02-08 11:28:42 -05:00
|
|
|
#endif
|
2014-09-16 17:54:58 -04:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
pm_dbgmsg("Compiler: NONE\n");
|
2014-09-02 17:22:22 -04:00
|
|
|
}
|
|
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
/* add metadata to the performance tracker */
|
|
|
|
|
if (options & CL_DB_PCRE_STATS)
|
2014-10-27 15:53:41 -04:00
|
|
|
pcre_perf_events_init(pm, virname);
|
2014-09-16 15:56:56 -04:00
|
|
|
|
2014-09-02 17:22:22 -04:00
|
|
|
/* add pcre data to root after reallocation */
|
2014-08-29 14:57:09 -04:00
|
|
|
pcre_count = root->pcre_metas+1;
|
|
|
|
|
newmetatable = (struct cli_pcre_meta **)mpool_realloc(root->mempool, root->pcre_metatable,
|
|
|
|
|
pcre_count * sizeof(struct cli_pcre_meta *));
|
|
|
|
|
if (!newmetatable) {
|
|
|
|
|
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta table\n");
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-08-29 14:57:09 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newmetatable[pcre_count-1] = pm;
|
|
|
|
|
root->pcre_metatable = newmetatable;
|
|
|
|
|
|
|
|
|
|
root->pcre_metas = pcre_count;
|
|
|
|
|
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
2014-08-22 14:39:17 -04:00
|
|
|
|
2014-09-23 13:43:55 -04:00
|
|
|
int cli_pcre_build(struct cli_matcher *root, long long unsigned match_limit, long long unsigned recmatch_limit, const struct cli_dconf *dconf)
|
2014-08-25 19:11:12 -04:00
|
|
|
{
|
2014-08-29 14:57:09 -04:00
|
|
|
unsigned int i;
|
|
|
|
|
int ret;
|
|
|
|
|
struct cli_pcre_meta *pm = NULL;
|
2014-10-10 11:11:28 -04:00
|
|
|
int disable_all = 0;
|
|
|
|
|
|
2014-10-22 16:08:36 -04:00
|
|
|
if (dconf && !(dconf->pcre & PCRE_CONF_SUPPORT))
|
2014-10-10 11:11:28 -04:00
|
|
|
disable_all = 1;
|
2014-08-29 14:57:09 -04:00
|
|
|
|
|
|
|
|
for (i = 0; i < root->pcre_metas; ++i) {
|
|
|
|
|
pm = root->pcre_metatable[i];
|
2014-10-09 11:18:19 -04:00
|
|
|
if (!pm) {
|
|
|
|
|
cli_errmsg("cli_pcre_build: metadata for pcre %d is missing\n", i);
|
|
|
|
|
return CL_ENULLARG;
|
|
|
|
|
}
|
2014-08-29 14:57:09 -04:00
|
|
|
|
2014-09-15 18:10:11 -04:00
|
|
|
/* for safety, disable all pcre */
|
|
|
|
|
if (disable_all) {
|
|
|
|
|
pm->flags |= CLI_PCRE_DISABLED;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pm->flags & CLI_PCRE_DISABLED) {
|
|
|
|
|
cli_dbgmsg("cli_pcre_build: Skip compiling regex: %s (disabled)\n", pm->pdata.expression);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-16 11:20:39 -04:00
|
|
|
/* disable global */
|
2014-10-10 11:11:28 -04:00
|
|
|
if (dconf && !(dconf->pcre & PCRE_CONF_GLOBAL)) {
|
2014-09-16 11:20:39 -04:00
|
|
|
cli_dbgmsg("cli_pcre_build: disabling global option for regex /%s/\n", pm->pdata.expression);
|
|
|
|
|
pm->flags &= ~(CLI_PCRE_GLOBAL);
|
|
|
|
|
}
|
2014-09-12 13:35:19 -04:00
|
|
|
|
|
|
|
|
/* options override through metadata manipulation */
|
2016-02-08 11:28:42 -05:00
|
|
|
#if USING_PCRE2
|
|
|
|
|
//pm->pdata.options |= PCRE2_NEVER_UTF; /* disables (?UTF*) potential security vuln */
|
|
|
|
|
//pm->pdata.options |= PCRE2_UCP;
|
|
|
|
|
//pm->pdata.options |= PCRE2_AUTO_CALLOUT; /* used with CALLOUT(-BACK) function */
|
|
|
|
|
#else
|
|
|
|
|
//pm->pdata.options |= PCRE_NEVER_UTF; /* implemented in 8.33, disables (?UTF*) potential security vuln */
|
2014-09-12 13:35:19 -04:00
|
|
|
//pm->pdata.options |= PCRE_UCP;/* implemented in 8.20 */
|
|
|
|
|
//pm->pdata.options |= PCRE_AUTO_CALLOUT; /* used with CALLOUT(-BACK) function */
|
2016-02-08 11:28:42 -05:00
|
|
|
#endif
|
2014-09-12 13:35:19 -04:00
|
|
|
|
2014-10-10 11:11:28 -04:00
|
|
|
if (dconf && (dconf->pcre & PCRE_CONF_OPTIONS)) {
|
2014-09-16 11:20:39 -04:00
|
|
|
/* compile the regex, no options override *wink* */
|
2014-09-16 17:54:58 -04:00
|
|
|
pm_dbgmsg("cli_pcre_build: Compiling regex: /%s/\n", pm->pdata.expression);
|
2014-09-16 11:20:39 -04:00
|
|
|
ret = cli_pcre_compile(&(pm->pdata), match_limit, recmatch_limit, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
else {
|
2016-10-19 15:57:45 -04:00
|
|
|
/* compile the regex, options overridden and disabled */
|
2014-09-16 17:54:58 -04:00
|
|
|
pm_dbgmsg("cli_pcre_build: Compiling regex: /%s/ (without options)\n", pm->pdata.expression);
|
2014-09-16 11:20:39 -04:00
|
|
|
ret = cli_pcre_compile(&(pm->pdata), match_limit, recmatch_limit, 0, 1);
|
|
|
|
|
}
|
|
|
|
|
if (ret != CL_SUCCESS) {
|
2014-09-15 18:10:11 -04:00
|
|
|
cli_errmsg("cli_pcre_build: failed to build pcre regex\n");
|
2014-09-16 17:54:58 -04:00
|
|
|
pm->flags |= CLI_PCRE_DISABLED; /* disable the pcre, currently will terminate execution */
|
2014-08-25 19:11:12 -04:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-28 10:33:20 -04:00
|
|
|
/* TODO - handle VI and Macro offset types */
|
2014-09-15 18:10:11 -04:00
|
|
|
int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx)
|
2014-09-09 17:14:12 -04:00
|
|
|
{
|
2014-09-11 12:43:04 -04:00
|
|
|
/* TANGENT: maintain relative offset data in cli_ac_data? */
|
2014-09-09 17:14:12 -04:00
|
|
|
int ret;
|
|
|
|
|
unsigned int i;
|
|
|
|
|
struct cli_pcre_meta *pm;
|
|
|
|
|
uint32_t endoff;
|
|
|
|
|
|
2014-09-09 17:27:17 -04:00
|
|
|
if (!data) {
|
|
|
|
|
return CL_ENULLARG;
|
|
|
|
|
}
|
2014-09-15 18:10:11 -04:00
|
|
|
|
2014-10-10 11:11:28 -04:00
|
|
|
if (!root || !root->pcre_metatable || !info || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) {
|
2014-09-09 17:27:17 -04:00
|
|
|
data->shift = NULL;
|
|
|
|
|
data->offset = NULL;
|
2014-09-09 17:14:12 -04:00
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* allocate data structures */
|
|
|
|
|
data->shift = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t));
|
|
|
|
|
if (!data->shift) {
|
|
|
|
|
cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->shift\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
data->offset = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t));
|
|
|
|
|
if (!data->offset) {
|
|
|
|
|
cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->offset\n");
|
|
|
|
|
free(data->shift);
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-27 11:35:21 -04:00
|
|
|
pm_dbgmsg("CLI_OFF_NONE: %u\n", CLI_OFF_NONE);
|
|
|
|
|
pm_dbgmsg("CLI_OFF_ANY: %u\n", CLI_OFF_ANY);
|
|
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* iterate across all pcre metadata and recalc offsets */
|
|
|
|
|
for (i = 0; i < root->pcre_metas; ++i) {
|
|
|
|
|
pm = root->pcre_metatable[i];
|
|
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
/* skip broken pcres, not getting executed anyways */
|
2014-09-15 18:10:11 -04:00
|
|
|
if (pm->flags & CLI_PCRE_DISABLED) {
|
|
|
|
|
data->offset[i] = CLI_OFF_NONE;
|
2014-10-27 11:35:21 -04:00
|
|
|
data->shift[i] = 0;
|
2014-09-15 18:10:11 -04:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
if (pm->offdata[0] == CLI_OFF_ANY) {
|
2014-10-27 16:48:34 -04:00
|
|
|
data->offset[i] = CLI_OFF_ANY;
|
2014-09-09 17:14:12 -04:00
|
|
|
data->shift[i] = 0;
|
|
|
|
|
}
|
2014-10-27 11:35:21 -04:00
|
|
|
else if (pm->offdata[0] == CLI_OFF_NONE) {
|
|
|
|
|
data->offset[i] = CLI_OFF_NONE;
|
|
|
|
|
data->shift[i] = 0;
|
2014-09-09 17:14:12 -04:00
|
|
|
}
|
2014-10-27 11:35:21 -04:00
|
|
|
else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) {
|
2014-09-09 17:14:12 -04:00
|
|
|
data->offset[i] = pm->offdata[1];
|
|
|
|
|
data->shift[i] = pm->offdata[2];
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
ret = cli_caloff(NULL, info, root->type, pm->offdata, &data->offset[i], &endoff);
|
|
|
|
|
if (ret != CL_SUCCESS) {
|
2014-09-11 12:27:52 -04:00
|
|
|
cli_errmsg("cli_pcre_recaloff: cannot recalculate relative offset for signature\n");
|
2014-09-09 17:14:12 -04:00
|
|
|
free(data->shift);
|
|
|
|
|
free(data->offset);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2014-10-27 11:35:21 -04:00
|
|
|
/* CLI_OFF_NONE gets passed down, CLI_OFF_ANY gets reinterpreted */
|
|
|
|
|
/* TODO - CLI_OFF_VERSION is interpreted as CLI_OFF_ANY(?) */
|
|
|
|
|
if (data->offset[i] == CLI_OFF_ANY) {
|
2014-10-27 16:48:34 -04:00
|
|
|
data->offset[i] = CLI_OFF_ANY;
|
2014-10-27 11:35:21 -04:00
|
|
|
data->shift[i] = 0;
|
2014-10-27 16:48:34 -04:00
|
|
|
}
|
|
|
|
|
else {
|
2014-10-27 11:35:21 -04:00
|
|
|
data->shift[i] = endoff-(data->offset[i]);
|
|
|
|
|
}
|
2014-09-09 17:14:12 -04:00
|
|
|
}
|
2014-10-27 11:35:21 -04:00
|
|
|
|
|
|
|
|
pm_dbgmsg("%u: %u %u->%u(+%u)\n", i, pm->offdata[0], data->offset[i],
|
|
|
|
|
data->offset[i]+data->shift[i], data->shift[i]);
|
2014-09-09 17:14:12 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cli_pcre_freeoff(struct cli_pcre_off *data)
|
|
|
|
|
{
|
2014-09-09 17:27:17 -04:00
|
|
|
if (data) {
|
|
|
|
|
free(data->offset);
|
|
|
|
|
data->offset = NULL;
|
|
|
|
|
free(data->shift);
|
|
|
|
|
data->shift = NULL;
|
|
|
|
|
}
|
2014-09-09 17:14:12 -04:00
|
|
|
}
|
|
|
|
|
|
2014-10-27 11:35:21 -04:00
|
|
|
int cli_pcre_qoff(struct cli_pcre_meta *pm, uint32_t length, uint32_t *adjbuffer, uint32_t *adjshift)
|
|
|
|
|
{
|
|
|
|
|
if (!pm)
|
|
|
|
|
return CL_ENULLARG;
|
|
|
|
|
|
|
|
|
|
/* default to scanning whole buffer but try to use existing offdata */
|
|
|
|
|
if (pm->offdata[0] == CLI_OFF_NONE) {
|
|
|
|
|
return CL_BREAK;
|
|
|
|
|
}
|
2014-10-27 16:48:34 -04:00
|
|
|
else if (pm->offdata[0] == CLI_OFF_ANY) {
|
|
|
|
|
*adjbuffer = CLI_OFF_ANY;
|
|
|
|
|
*adjshift = 0;
|
|
|
|
|
}
|
2014-10-27 11:35:21 -04:00
|
|
|
else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) {
|
|
|
|
|
*adjbuffer = pm->offdata[1];
|
|
|
|
|
*adjshift = pm->offdata[2];
|
|
|
|
|
}
|
|
|
|
|
else if (pm->offdata[0] == CLI_OFF_EOF_MINUS) {
|
|
|
|
|
*adjbuffer = length - pm->offdata[1];
|
|
|
|
|
*adjshift = pm->offdata[2];
|
|
|
|
|
}
|
|
|
|
|
else {
|
2014-10-28 10:33:20 -04:00
|
|
|
/* all relative offsets */
|
|
|
|
|
/* TODO - check if relative offsets apply for normal hex substrs */
|
2014-10-27 11:35:21 -04:00
|
|
|
*adjbuffer = 0;
|
|
|
|
|
*adjshift = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-03 15:28:09 -04:00
|
|
|
int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, const struct cli_pcre_off *data, cli_ctx *ctx)
|
2014-08-22 14:39:17 -04:00
|
|
|
{
|
2014-08-29 14:57:09 -04:00
|
|
|
struct cli_pcre_meta **metatable = root->pcre_metatable, *pm = NULL;
|
|
|
|
|
struct cli_pcre_data *pd;
|
2016-02-08 11:28:42 -05:00
|
|
|
struct cli_pcre_results p_res;
|
2014-09-11 12:27:52 -04:00
|
|
|
struct cli_ac_result *newres;
|
2014-09-09 17:14:12 -04:00
|
|
|
uint32_t adjbuffer, adjshift, adjlength;
|
2015-08-17 12:59:09 -04:00
|
|
|
unsigned int i, evalcnt = 0;
|
|
|
|
|
uint64_t maxfilesize, evalids = 0;
|
2014-10-27 16:48:34 -04:00
|
|
|
uint32_t global, encompass, rolling;
|
2017-12-21 14:39:01 -05:00
|
|
|
int rc = 0, offset = 0, ret = CL_SUCCESS, options=0;
|
2015-06-03 15:28:09 -04:00
|
|
|
uint8_t viruses_found = 0;
|
2014-08-22 17:29:40 -04:00
|
|
|
|
2016-02-08 11:28:42 -05:00
|
|
|
if ((root->pcre_metas == 0) || (!root->pcre_metatable) || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT)))
|
2014-09-09 17:14:12 -04:00
|
|
|
return CL_SUCCESS;
|
|
|
|
|
|
2016-02-08 11:28:42 -05:00
|
|
|
memset(&p_res, 0, sizeof(p_res));
|
2014-09-19 02:39:52 -04:00
|
|
|
|
2014-08-29 14:57:09 -04:00
|
|
|
for (i = 0; i < root->pcre_metas; ++i) {
|
2018-09-21 16:49:38 -04:00
|
|
|
|
2014-08-29 14:57:09 -04:00
|
|
|
pm = root->pcre_metatable[i];
|
2014-08-29 15:56:53 -04:00
|
|
|
pd = &(pm->pdata);
|
2014-08-22 17:29:40 -04:00
|
|
|
|
2014-09-15 18:10:11 -04:00
|
|
|
/* skip checking and running disabled pcres */
|
|
|
|
|
if (pm->flags & CLI_PCRE_DISABLED) {
|
|
|
|
|
cli_dbgmsg("cli_pcre_scanbuf: skipping disabled regex /%s/\n", pd->expression);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-27 11:35:21 -04:00
|
|
|
/* skip checking and running CLI_OFF_NONE pcres */
|
|
|
|
|
if (data && data->offset[i] == CLI_OFF_NONE) {
|
|
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: skipping CLI_OFF_NONE regex /%s/\n", pd->expression);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
/* evaluate trigger */
|
2014-09-11 12:27:52 -04:00
|
|
|
if (pm->lsigid[0]) {
|
2017-10-11 12:10:51 -04:00
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: checking %s; running regex /%s/\n", pm->trigger, pd->expression);
|
2014-10-09 11:58:16 -04:00
|
|
|
#ifdef PCRE_BYPASS
|
|
|
|
|
if (strcmp(pm->trigger, PCRE_BYPASS))
|
|
|
|
|
#endif
|
|
|
|
|
if (cli_ac_chklsig(pm->trigger, pm->trigger + strlen(pm->trigger), mdata->lsigcnt[pm->lsigid[1]], &evalcnt, &evalids, 0) != 1)
|
|
|
|
|
continue;
|
2014-09-11 12:27:52 -04:00
|
|
|
}
|
|
|
|
|
else {
|
2016-10-19 15:57:45 -04:00
|
|
|
cli_dbgmsg("cli_pcre_scanbuf: skipping %s check due to uninitialized lsigid\n", pm->trigger);
|
2014-09-16 17:54:58 -04:00
|
|
|
/* fall-through to unconditional execution - sigtool-only */
|
2014-09-11 12:27:52 -04:00
|
|
|
}
|
2014-08-29 14:57:09 -04:00
|
|
|
|
2014-10-27 16:48:34 -04:00
|
|
|
global = (pm->flags & CLI_PCRE_GLOBAL); /* globally search for all matches (within bounds) */
|
2014-09-09 17:14:12 -04:00
|
|
|
encompass = (pm->flags & CLI_PCRE_ENCOMPASS); /* encompass search to offset->offset+maxshift */
|
2014-10-27 16:48:34 -04:00
|
|
|
rolling = (pm->flags & CLI_PCRE_ROLLING); /* rolling search (unanchored) */
|
2014-09-09 17:14:12 -04:00
|
|
|
offset = pd->search_offset; /* this is usually 0 */
|
2014-08-22 17:29:40 -04:00
|
|
|
|
2017-10-11 12:10:51 -04:00
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: triggered %s; running regex /%s/%s%s\n", pm->trigger, pd->expression,
|
2014-10-27 16:48:34 -04:00
|
|
|
global ? " (global)":"", rolling ? " (rolling)":"");
|
2014-08-22 17:29:40 -04:00
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* adjust the buffer sent to cli_pcre_match for offset and maxshift */
|
|
|
|
|
if (!data) {
|
2014-10-27 11:35:21 -04:00
|
|
|
if (cli_pcre_qoff(pm, length, &adjbuffer, &adjshift) != CL_SUCCESS)
|
|
|
|
|
continue;
|
2014-09-09 17:14:12 -04:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
adjbuffer = data->offset[i];
|
|
|
|
|
adjshift = data->shift[i];
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-27 16:48:34 -04:00
|
|
|
/* check for need to anchoring */
|
|
|
|
|
if (!rolling && !adjshift && (adjbuffer != CLI_OFF_ANY))
|
2016-02-08 11:28:42 -05:00
|
|
|
#if USING_PCRE2
|
|
|
|
|
options |= PCRE2_ANCHORED;
|
|
|
|
|
#else
|
2014-10-27 16:48:34 -04:00
|
|
|
options |= PCRE_ANCHORED;
|
2016-02-08 11:28:42 -05:00
|
|
|
#endif
|
2014-10-27 16:48:34 -04:00
|
|
|
else
|
|
|
|
|
options = 0;
|
|
|
|
|
|
|
|
|
|
if (adjbuffer == CLI_OFF_ANY)
|
|
|
|
|
adjbuffer = 0;
|
|
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* check the offset bounds */
|
|
|
|
|
if (adjbuffer < length) {
|
|
|
|
|
/* handle encompass flag */
|
|
|
|
|
if (encompass && adjshift != 0 && adjshift != CLI_OFF_NONE) {
|
|
|
|
|
if (adjbuffer+adjshift > length)
|
|
|
|
|
adjlength = length - adjbuffer;
|
|
|
|
|
else
|
|
|
|
|
adjlength = adjshift;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2014-10-27 11:35:21 -04:00
|
|
|
/* NOTE - if using non-encompass method 2, alter shift universally */
|
2014-10-28 10:33:20 -04:00
|
|
|
/* TODO - limitations on non-encompassed buffers? */
|
2014-09-09 17:14:12 -04:00
|
|
|
adjlength = length - adjbuffer;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
2014-10-27 16:48:34 -04:00
|
|
|
/* starting offset is outside bounds of file, skip pcre execution silently */
|
|
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: starting offset is outside bounds of file %u >= %u\n", adjbuffer, length);
|
2014-09-09 17:14:12 -04:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-16 17:54:58 -04:00
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: passed buffer adjusted to %u +%u(%u)[%u]%s\n", adjbuffer, adjlength, adjbuffer+adjlength, adjshift, encompass ? " (encompass)":"");
|
2014-09-09 17:14:12 -04:00
|
|
|
|
2014-09-23 13:31:47 -04:00
|
|
|
/* if the global flag is set, loop through the scanning */
|
2014-09-03 00:27:15 -04:00
|
|
|
do {
|
2016-02-08 11:28:42 -05:00
|
|
|
/* reset the match results */
|
|
|
|
|
if ((ret = cli_pcre_results_reset(&p_res, pd)) != CL_SUCCESS)
|
|
|
|
|
break;
|
|
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
/* performance metrics */
|
|
|
|
|
cli_event_time_start(p_sigevents, pm->sigtime_id);
|
2016-02-08 11:28:42 -05:00
|
|
|
rc = cli_pcre_match(pd, buffer+adjbuffer, adjlength, offset, options, &p_res);
|
2014-09-16 15:56:56 -04:00
|
|
|
cli_event_time_stop(p_sigevents, pm->sigtime_id);
|
2014-09-16 12:33:50 -04:00
|
|
|
/* if debug, generate a match report */
|
|
|
|
|
if (cli_debug_flag)
|
2016-02-08 11:28:42 -05:00
|
|
|
cli_pcre_report(pd, buffer+adjbuffer, adjlength, rc, &p_res);
|
2014-08-28 13:13:05 -04:00
|
|
|
|
2014-09-03 00:27:15 -04:00
|
|
|
/* matched, rc shouldn't be >0 unless a full match occurs */
|
|
|
|
|
if (rc > 0) {
|
2016-02-08 11:28:42 -05:00
|
|
|
cli_dbgmsg("cli_pcre_scanbuf: located regex match @ %d\n", adjbuffer+p_res.match[0]);
|
2015-06-03 15:28:09 -04:00
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* check if we've gone over offset+shift */
|
|
|
|
|
if (!encompass && adjshift) {
|
2016-02-08 11:28:42 -05:00
|
|
|
if (p_res.match[0] > adjshift) {
|
2014-09-09 17:14:12 -04:00
|
|
|
/* ignore matched offset (outside of maxshift) */
|
2016-02-08 11:28:42 -05:00
|
|
|
cli_dbgmsg("cli_pcre_scanbuf: match found outside of maxshift @%u\n", adjbuffer+p_res.match[0]);
|
2014-09-09 17:14:12 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-16 15:56:56 -04:00
|
|
|
/* track the detection count */
|
|
|
|
|
cli_event_count(p_sigevents, pm->sigmatch_id);
|
|
|
|
|
|
2014-09-11 12:27:52 -04:00
|
|
|
/* for logical signature evaluation */
|
2018-09-21 16:49:38 -04:00
|
|
|
|
2014-09-11 12:27:52 -04:00
|
|
|
if (pm->lsigid[0]) {
|
2014-09-16 17:54:58 -04:00
|
|
|
pm_dbgmsg("cli_pcre_scanbuf: assigning lsigcnt[%d][%d], located @ %d\n",
|
2016-02-08 11:28:42 -05:00
|
|
|
pm->lsigid[1], pm->lsigid[2], adjbuffer+p_res.match[0]);
|
2014-09-03 00:27:15 -04:00
|
|
|
|
2016-02-08 11:28:42 -05:00
|
|
|
ret = lsig_sub_matched(root, mdata, pm->lsigid[1], pm->lsigid[2], adjbuffer+p_res.match[0], 0);
|
2018-09-21 16:49:38 -04:00
|
|
|
if (ret != CL_SUCCESS) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-06-03 15:28:09 -04:00
|
|
|
} else {
|
|
|
|
|
/* for raw match data - sigtool only */
|
|
|
|
|
if(res) {
|
|
|
|
|
newres = (struct cli_ac_result *)cli_calloc(1, sizeof(struct cli_ac_result));
|
|
|
|
|
if(!newres) {
|
2015-08-17 17:52:50 -04:00
|
|
|
cli_errmsg("cli_pcre_scanbuff: Can't allocate memory for new result\n");
|
2016-02-08 11:28:42 -05:00
|
|
|
ret = CL_EMEM;
|
|
|
|
|
break;
|
2015-06-03 15:28:09 -04:00
|
|
|
}
|
|
|
|
|
newres->virname = pm->virname;
|
|
|
|
|
newres->customdata = NULL; /* get value? */
|
|
|
|
|
newres->next = *res;
|
2016-02-08 11:28:42 -05:00
|
|
|
newres->offset = adjbuffer+p_res.match[0];
|
2015-06-03 15:28:09 -04:00
|
|
|
*res = newres;
|
|
|
|
|
} else {
|
2017-04-18 12:03:36 -04:00
|
|
|
ret = CL_CLEAN;
|
|
|
|
|
viruses_found = 1;
|
|
|
|
|
if (ctx)
|
|
|
|
|
ret = cli_append_virus(ctx, (const char *)pm->virname);
|
2015-06-03 15:28:09 -04:00
|
|
|
if (virname)
|
|
|
|
|
*virname = pm->virname;
|
2018-07-20 22:28:48 -04:00
|
|
|
if (!ctx || !SCAN_ALLMATCHES)
|
2017-04-18 12:03:36 -04:00
|
|
|
if (ret != CL_CLEAN)
|
|
|
|
|
break;
|
2014-09-11 12:27:52 -04:00
|
|
|
}
|
|
|
|
|
}
|
2014-09-03 00:27:15 -04:00
|
|
|
}
|
|
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
/* move off to the end of the match for next match; offset is relative to adjbuffer
|
2014-09-16 17:54:58 -04:00
|
|
|
* NOTE: misses matches starting within the last match; TODO: start from start of last match? */
|
2016-02-08 11:28:42 -05:00
|
|
|
offset = p_res.match[1];
|
2018-08-15 17:04:25 -04:00
|
|
|
|
2014-09-09 17:14:12 -04:00
|
|
|
} while (global && rc > 0 && offset < adjlength);
|
2014-09-03 00:27:15 -04:00
|
|
|
|
2016-02-08 11:28:42 -05:00
|
|
|
/* handle error code */
|
2018-09-21 16:49:38 -04:00
|
|
|
if (rc < 0 && p_res.err != CL_SUCCESS) {
|
2016-02-08 11:28:42 -05:00
|
|
|
ret = p_res.err;
|
2018-09-21 16:49:38 -04:00
|
|
|
}
|
2016-02-08 11:28:42 -05:00
|
|
|
|
|
|
|
|
/* jumps out of main loop from 'global' loop */
|
2018-09-21 16:49:38 -04:00
|
|
|
if (ret != CL_SUCCESS) {
|
2016-02-08 11:28:42 -05:00
|
|
|
break;
|
2018-09-21 16:49:38 -04:00
|
|
|
}
|
2014-08-22 17:29:40 -04:00
|
|
|
}
|
|
|
|
|
|
2016-02-08 11:28:42 -05:00
|
|
|
/* free match results */
|
|
|
|
|
cli_pcre_results_free(&p_res);
|
|
|
|
|
|
|
|
|
|
if (ret == CL_SUCCESS && viruses_found)
|
2015-06-03 15:28:09 -04:00
|
|
|
return CL_VIRUS;
|
2016-02-08 11:28:42 -05:00
|
|
|
return ret;
|
2014-08-22 14:39:17 -04:00
|
|
|
}
|
|
|
|
|
|
2015-07-23 14:11:09 -04:00
|
|
|
void cli_pcre_freemeta(struct cli_matcher *root, struct cli_pcre_meta *pm)
|
2014-08-29 14:57:09 -04:00
|
|
|
{
|
|
|
|
|
if (!pm)
|
|
|
|
|
return;
|
|
|
|
|
|
2014-10-09 13:23:29 -04:00
|
|
|
if (pm->trigger) {
|
2015-07-23 14:11:09 -04:00
|
|
|
mpool_free(root->mempool, pm->trigger);
|
2014-10-09 13:23:29 -04:00
|
|
|
pm->trigger = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pm->virname) {
|
2015-07-23 14:11:09 -04:00
|
|
|
mpool_free(root->mempool, pm->virname);
|
2014-10-09 13:23:29 -04:00
|
|
|
pm->virname = NULL;
|
|
|
|
|
}
|
2014-08-29 14:57:09 -04:00
|
|
|
|
2014-10-27 15:53:41 -04:00
|
|
|
if (pm->statname) {
|
2016-01-14 17:01:01 -05:00
|
|
|
free(pm->statname);
|
2014-10-27 15:53:41 -04:00
|
|
|
pm->statname = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-29 14:57:09 -04:00
|
|
|
cli_pcre_free_single(&(pm->pdata));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cli_pcre_freetable(struct cli_matcher *root)
|
|
|
|
|
{
|
|
|
|
|
uint32_t i;
|
|
|
|
|
struct cli_pcre_meta *pm = NULL;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < root->pcre_metas; ++i) {
|
2014-09-16 17:54:58 -04:00
|
|
|
/* free pcre meta */
|
2014-08-29 14:57:09 -04:00
|
|
|
pm = root->pcre_metatable[i];
|
2015-07-23 14:11:09 -04:00
|
|
|
cli_pcre_freemeta(root, pm);
|
2014-08-29 14:57:09 -04:00
|
|
|
mpool_free(root->mempool, pm);
|
|
|
|
|
}
|
2014-08-22 14:39:17 -04:00
|
|
|
|
2014-08-29 14:57:09 -04:00
|
|
|
/* free holding structures and set count to zero */
|
|
|
|
|
mpool_free(root->mempool, root->pcre_metatable);
|
|
|
|
|
root->pcre_metatable = NULL;
|
|
|
|
|
root->pcre_metas = 0;
|
2014-08-22 14:39:17 -04:00
|
|
|
}
|
2014-09-16 15:56:56 -04:00
|
|
|
|
2014-09-18 14:10:12 -04:00
|
|
|
#else
|
|
|
|
|
/* NO-PCRE FUNCTIONS */
|
2015-08-21 12:43:26 -04:00
|
|
|
void cli_pcre_perf_print()
|
|
|
|
|
{
|
|
|
|
|
cli_errmsg("cli_pcre_perf_print: Cannot print PCRE performance results without PCRE support\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cli_pcre_perf_events_destroy()
|
|
|
|
|
{
|
|
|
|
|
cli_errmsg("cli_pcre_perf_events_destroy: Cannot destroy PCRE performance results without PCRE support\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cli_pcre_init()
|
|
|
|
|
{
|
|
|
|
|
cli_errmsg("cli_pcre_init: Cannot initialize PCRE without PCRE support\n");
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cli_pcre_build(struct cli_matcher *root, long long unsigned match_limit, long long unsigned recmatch_limit, const struct cli_dconf *dconf)
|
|
|
|
|
{
|
|
|
|
|
UNUSEDPARAM(root);
|
|
|
|
|
UNUSEDPARAM(match_limit);
|
|
|
|
|
UNUSEDPARAM(recmatch_limit);
|
|
|
|
|
UNUSEDPARAM(dconf);
|
|
|
|
|
|
|
|
|
|
cli_errmsg("cli_pcre_build: Cannot build PCRE expression without PCRE support\n");
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, const struct cli_pcre_off *data, cli_ctx *ctx)
|
|
|
|
|
{
|
|
|
|
|
UNUSEDPARAM(buffer);
|
|
|
|
|
UNUSEDPARAM(length);
|
|
|
|
|
UNUSEDPARAM(virname);
|
|
|
|
|
UNUSEDPARAM(res);
|
|
|
|
|
UNUSEDPARAM(root);
|
|
|
|
|
UNUSEDPARAM(mdata);
|
|
|
|
|
UNUSEDPARAM(data);
|
|
|
|
|
UNUSEDPARAM(ctx);
|
|
|
|
|
|
|
|
|
|
cli_errmsg("cli_pcre_scanbuf: Cannot scan buffer with PCRE expression without PCRE support\n");
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-18 14:10:12 -04:00
|
|
|
int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx)
|
|
|
|
|
{
|
|
|
|
|
UNUSEDPARAM(root);
|
|
|
|
|
UNUSEDPARAM(info);
|
|
|
|
|
UNUSEDPARAM(ctx);
|
|
|
|
|
if (data) {
|
|
|
|
|
data->offset = NULL;
|
|
|
|
|
data->shift = NULL;
|
|
|
|
|
}
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cli_pcre_freeoff(struct cli_pcre_off *data)
|
|
|
|
|
{
|
|
|
|
|
UNUSEDPARAM(data);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-25 15:07:30 -04:00
|
|
|
#endif /* HAVE_PCRE */
|
