2018-09-21 16:49:38 -04:00
|
|
|
/*
|
|
|
|
|
* Support for matcher using byte compare
|
|
|
|
|
*
|
2025-02-14 10:24:30 -05:00
|
|
|
* Copyright (C) 2018-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2018-09-21 16:49:38 -04:00
|
|
|
*
|
|
|
|
|
* Authors: Mickey Sola
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __MATCHER_BCOMP_H
|
|
|
|
|
#define __MATCHER_BCOMP_H
|
|
|
|
|
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
2018-12-05 20:46:20 -05:00
|
|
|
#include "clamav-types.h"
|
2018-09-21 16:49:38 -04:00
|
|
|
#include "dconf.h"
|
|
|
|
|
#include "mpool.h"
|
|
|
|
|
|
2018-09-26 16:40:28 -04:00
|
|
|
#define CLI_BCOMP_MAX_BIN_BLEN 8
|
2018-10-08 13:18:09 -04:00
|
|
|
#define CLI_BCOMP_MAX_HEX_BLEN 18
|
2018-09-26 16:40:28 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
#define CLI_BCOMP_HEX 0x0001
|
|
|
|
|
#define CLI_BCOMP_DEC 0x0002
|
|
|
|
|
#define CLI_BCOMP_BIN 0x0004
|
|
|
|
|
#define CLI_BCOMP_AUTO 0x0008
|
|
|
|
|
#define CLI_BCOMP_LE 0x0010
|
|
|
|
|
#define CLI_BCOMP_BE 0x0020
|
2018-09-26 16:40:28 -04:00
|
|
|
#define CLI_BCOMP_EXACT 0x0100
|
2018-09-21 16:49:38 -04:00
|
|
|
|
|
|
|
|
struct cli_bcomp_meta {
|
2018-09-27 19:37:04 -04:00
|
|
|
uint16_t ref_subsigid; /* identifies the dependent subsig from which we will do comparisons */
|
2018-09-21 16:49:38 -04:00
|
|
|
uint32_t lsigid[3];
|
2018-12-03 12:40:13 -05:00
|
|
|
ssize_t offset; /* offset from the referenced subsig, handled at match-time */
|
2018-09-21 16:49:38 -04:00
|
|
|
uint16_t options; /* bitmask */
|
|
|
|
|
size_t byte_len;
|
2018-09-27 19:37:04 -04:00
|
|
|
struct cli_bcomp_comp **comps;
|
|
|
|
|
uint32_t comp_count;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* each byte compare subsig can perform multiple comparisons on the same extracted byte sequence */
|
|
|
|
|
struct cli_bcomp_comp {
|
2018-09-21 16:49:38 -04:00
|
|
|
char comp_symbol; /* <, >, = are supported */
|
2018-09-26 19:14:14 -04:00
|
|
|
int64_t comp_value;
|
2018-09-21 16:49:38 -04:00
|
|
|
};
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
cl_error_t cli_bcomp_addpatt(struct cli_matcher *root, const char *virname, const char *hexsig, const uint32_t *lsigid, unsigned int options);
|
Fix byte-compare subsignature premature alert
The byte compare feature in logical signatures will cause the rule to
alert if it successfully matches regardless of the rest of the logical
signature.
An easy way to test this is with a logical signature that has two
bcomp subsignatures and requires both to match for the rule to alert.
In the following example, we have 4 signatures where
- the first will match both bcomp subsigs.
- the second will match neither.
- the last two match just one bcomp subsig.
In an --allmatch test, you'll find that the 3 of these match, with the
first one matching *twice*, once for each bcomp subsig.
test.ldb:
```
bcomp.both;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=123);4242;2(>>5#hb2#=255)
bcomp.neither;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=124);4242;2(>>5#hb2#=254)
bcomp.second;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=124);4242;2(>>5#hb2#=255)
bcomp.first;Engine:51-255,Target:0;0&1&2&3;4141;0(>>5#hb2#=123);4242;2(>>5#hb2#=254)
```
test.sample:
```
AA = 7B; BB = FF
```
You can also try a similar test to compare the behavior with regular
ac-pattern-match subsigs with this lsig-test.ldb:
```
pattern.both;Engine:51-255,Target:0;0&1;4141;4242
pattern.neither;Engine:51-255,Target:0;0&1;4140;4241
pattern.second;Engine:51-255,Target:0;0&1;4140;4242
pattern.first;Engine:51-255,Target:0;0&1;4141;4241
```
This commit fixes the issue by incrementing the logical subsignature
count for each bcomp subsig match instead of appending an alert for
each bcomp match.
Also removed call to `lsig_sub_matched()` that didn't do anything.
2022-02-03 16:06:05 -08:00
|
|
|
cl_error_t cli_bcomp_scanbuf(const unsigned char *buffer, size_t buffer_length, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, cli_ctx *ctx);
|
2018-10-23 15:28:50 -04:00
|
|
|
cl_error_t cli_bcomp_compare_check(const unsigned char *f_buffer, size_t buffer_length, int offset, struct cli_bcomp_meta *bm);
|
2018-09-21 16:49:38 -04:00
|
|
|
void cli_bcomp_freemeta(struct cli_matcher *root, struct cli_bcomp_meta *bm);
|
2018-12-03 12:40:13 -05:00
|
|
|
uint16_t cli_bcomp_chk_hex(const unsigned char *buffer, uint16_t opt, uint32_t len, uint32_t check_only);
|
|
|
|
|
unsigned char *cli_bcomp_normalize_buffer(const unsigned char *buffer, uint32_t byte_len, uint32_t *pad_len, uint16_t opt, uint16_t whitespace_only);
|
2018-09-21 16:49:38 -04:00
|
|
|
|
|
|
|
|
#endif
|