Hi, I'm deeply embarrassed - there's been an ugly copy-past bug in there. Anyway here's the fix and basic unit tests. Balint commit 1694aadde10537156efbedb13f0783c2fe85b812 Author: Balint Kovacs <blint@balabit.hu> Date: Mon Nov 28 08:29:57 2011 +0100 [dbparser] SET parser erroneous reference fix and unit tests Reported-By: Evan Rempel <erempel@uvic.ca> Signed-Off-By: Balint Kovacs <blint@balabit.hu> diff --git a/modules/afmongodb/libmongo-client b/modules/afmongodb/libmongo-client index 58f3814..4e98171 160000 --- a/modules/afmongodb/libmongo-client +++ b/modules/afmongodb/libmongo-client @@ -1 +1 @@ -Subproject commit 58f3814cad94bcd78216c7ac971c8435d17a9242 +Subproject commit 4e98171c63001d3fd80c83ce219a5a3a3d482764 diff --git a/modules/dbparser/radix.c b/modules/dbparser/radix.c index 8c43709..2f2034b 100644 --- a/modules/dbparser/radix.c +++ b/modules/dbparser/radix.c @@ -120,7 +120,10 @@ r_parser_set(guint8 *str, gint *len, const gchar *param, gpointer state, RParser { *len = 0; - while (param && strchr(param, str[*len])) + if (!param) + return FALSE; + + while (strchr(param, str[*len])) (*len)++; if (*len > 0) @@ -398,8 +401,8 @@ r_new_pnode(guint8 *key) { if (params_len == 3) { - parser_node->parse = r_parser_estring_c; - parser_node->type = RPT_ESTRING; + parser_node->parse = r_parser_set; + parser_node->type = RPT_SET; } else { diff --git a/modules/dbparser/tests/test_patterndb.c b/modules/dbparser/tests/test_patterndb.c index 6c52ed6..284a874 100644 --- a/modules/dbparser/tests/test_patterndb.c +++ b/modules/dbparser/tests/test_patterndb.c @@ -435,6 +435,16 @@ NULL, // not match }; gchar * test6 [] = { +"@SET:TEST: @", +" a ", +" a ", +" a ", +" a ", +NULL, // not match +"ab1234",NULL +}; + +gchar * test7 [] = { "@IPv4:TEST@", "1.2.3.4", "0.0.0.0", @@ -448,7 +458,7 @@ NULL, "1,2,3,4",NULL }; -gchar * test7 [] = { +gchar * test8 [] = { "@IPv6:TEST@", "2001:0db8:0000:0000:0000:0000:1428:57ab", "2001:0db8:0000:0000:0000::1428:57ab", @@ -460,7 +470,7 @@ NULL, "2001:0db8::34d2::1428:57ab",NULL }; -gchar * test8 [] = { +gchar * test9 [] = { "@IPvANY:TEST@", "1.2.3.4", "0.0.0.0", @@ -481,7 +491,7 @@ NULL, "2001:0db8::34d2::1428:57ab",NULL }; -gchar * test9 [] = { +gchar * test10 [] = { "@NUMBER:TEST@", "1234", "1.2", @@ -492,7 +502,7 @@ NULL, "1,2",NULL }; -gchar * test10 [] = { +gchar * test11 [] = { "@QSTRING:TEST:<>@", "<aa bb>", "< aabb >", @@ -501,7 +511,7 @@ NULL, "<aabb",NULL }; -gchar * test11 [] = { +gchar * test12 [] = { "@STRING:TEST@", "aabb", "aa bb", @@ -513,7 +523,7 @@ NULL, "aa bb",NULL }; -gchar **parsers[] = {test1, test2, test3, test4, test5, test6, test7, test8, test9, test10, test11, NULL}; +gchar **parsers[] = {test1, test2, test3, test4, test5, test6, test7, test8, test9, test10, test11, test12, NULL}; void test_patterndb_parsers() diff --git a/modules/dbparser/tests/test_radix.c b/modules/dbparser/tests/test_radix.c index 2dd5c35..b6c9736 100644 --- a/modules/dbparser/tests/test_radix.c +++ b/modules/dbparser/tests/test_radix.c @@ -298,6 +298,10 @@ test_parsers(void) insert_node(root, "xxx@ANYSTRING@x"); printf("We excpect an error message\n"); insert_node(root, "AAA@NUMBER:invalid=@AAA"); + printf("We excpect an error message\n"); + insert_node(root, "AAA@SET@AAA"); + printf("We excpect an error message\n"); + insert_node(root, "AAA@SET:set@AAA"); test_search_value(root, "a@", NULL); test_search_value(root, "a@NUMBER@aa@@", "a@@NUMBER@@aa@@@@"); @@ -338,6 +342,7 @@ test_matches(void) insert_node(root, "eee @STRING:string@"); insert_node(root, "fff @FLOAT:float@"); insert_node(root, "zzz @ESTRING:test:gép@"); + insert_node(root, "ggg @SET:set: @"); test_search_matches(root, "aaa 12345 hihihi", "number", "12345", @@ -605,6 +610,9 @@ test_matches(void) test_search_matches(root, "dddd v12345", NULL); test_search_matches(root, "fff v12345", NULL); test_search_matches(root, "fff 12345.hihihi","float", "12345.", NULL); + test_search_matches(root, "ggg aaa", "set", " ", NULL); + test_search_matches(root, "ggg aaa", "set", " ", NULL); + test_search_matches(root, "ggg aaa", "set", " ", NULL); test_search_matches(root, "zzz árvíztűrőtükörfúrógép", "test", "árvíztűrőtükörfúró", NULL); r_free_node(root, NULL); On 11/27/2011 06:50 PM, Balint Kovacs wrote:
Hi,
based on Evan's idea, please find a patch attached, that implements the SET parser that matches any number of characters specified as its parameters.
Balint
commit ad5da5958104a1dcf5e2492370cbb7037815c3ae Author: Balint Kovacs <blint@balabit.hu> Date: Sun Nov 27 18:40:28 2011 +0100
[dbparser] Implemented SET parser
The SET parser matches any characters specified in its parameter list without further checks. This is a generic solution for the need of matching and arbitrary number of whitespaces in messages with padding for fields
Reported-By: Evan Rempel <erempel@uvic.ca> Signed-Off-By: Balint Kovacs <blint@balabit.hu>
diff --git a/modules/dbparser/radix.c b/modules/dbparser/radix.c index 6afa9a4..8c43709 100644 --- a/modules/dbparser/radix.c +++ b/modules/dbparser/radix.c @@ -116,6 +116,21 @@ r_parser_anystring(guint8 *str, gint *len, const gchar *param, gpointer state, R }
gboolean +r_parser_set(guint8 *str, gint *len, const gchar *param, gpointer state, RParserMatch *match) +{ + *len = 0; + + while (param && strchr(param, str[*len])) + (*len)++; + + if (*len > 0) + { + return TRUE; + } + return FALSE; +} + +gboolean r_parser_ipv4(guint8 *str, gint *len, const gchar *param, gpointer state, RParserMatch *match) { gint dots = 0; @@ -379,6 +394,21 @@ r_new_pnode(guint8 *key) parser_node->parse = r_parser_anystring; parser_node->type = RPT_ANYSTRING; } + else if (strcmp(params[0], "SET") == 0) + { + if (params_len == 3) + { + parser_node->parse = r_parser_estring_c; + parser_node->type = RPT_ESTRING; + } + else + { + g_free(parser_node); + msg_error("Missing SET parser parameters", + evt_tag_str("type", params[0]), NULL); + parser_node = NULL; + } + } else if (g_str_has_prefix(params[0], "QSTRING")) { if (params_len == 3) diff --git a/modules/dbparser/radix.h b/modules/dbparser/radix.h index 9082419..9756dfe 100644 --- a/modules/dbparser/radix.h +++ b/modules/dbparser/radix.h @@ -40,7 +40,8 @@ enum RPT_ANYSTRING, RPT_IPV6, RPT_IP, - RPT_FLOAT + RPT_FLOAT, + RPT_SET };
typedef struct _RParserMatch @@ -124,6 +125,8 @@ r_parser_type_name(guint8 type) return "IP"; case RPT_FLOAT: return "FLOAT"; + case RPT_SET: + return "SET"; default: return "UNKNOWN"; }