Add pattern_end_offset to signature_state

Add pattern_end_offset to signature_state Update init-bare.zeek Update RuleMatcher.cc Update RuleMatcher.h Update init-bare.zeek clang format clang format clang format Using Match Offsets List Temp commit
2025-10-02 06:38:20 +00:00 · 2024-09-01 15:51:20 +03:00 · 2024-09-01 15:51:20 +03:00 · 5859e23198
commit 5859e23198
parent ab4d8744b6
3 changed files with 16 additions and 6 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -4527,6 +4527,7 @@ type signature_state: record {
 	conn:         connection;	##< Matching connection.
 	is_orig:      bool;	##< True if matching endpoint is originator.
 	payload_size: count;	##< Payload size of the first matching packet of current endpoint.
+	pattern_end_offset: count &optional; ##< 0-based offset of the last character of the matched payload in the last matching chunk of current endpoint. Non-existing for pure rules
 };

 ## A BitTorrent peer.
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -91,6 +91,10 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule, const RuleEndpointState*
    val->Assign(1, state->GetAnalyzer()->ConnVal());
    val->Assign(2, state->is_orig);
    val->Assign(3, state->payload_size);
+
+    int rule_offset = state->matched_by_patterns.member_pos(const_cast<Rule*>(rule));
+    if ( rule_offset >= 0 )
+        val->Assign(4, state->match_offsets[rule_offset]);
    return val;
 }

@ -825,7 +829,7 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type, const
    // matched patterns per connection (which is a plausible assumption).

    // Find rules for which patterns have matched.
-    set<Rule*> rule_matches;
+    set<pair<Rule*, MatchPos>> rule_matches;

    for ( AcceptingMatchSet::const_iterator it = accepted_matches.begin(); it != accepted_matches.end(); ++it ) {
        AcceptIdx aidx = it->first;
@ -834,13 +838,14 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type, const
        Rule* r = Rule::rule_table[aidx - 1];

        if ( AllRulePatternsMatched(r, mpos, accepted_matches) )
-            rule_matches.insert(r);
+            rule_matches.insert(make_pair(r, mpos));
    }

    // Check which of the matching rules really belong to any of our nodes.

-    for ( set<Rule*>::const_iterator it = rule_matches.begin(); it != rule_matches.end(); ++it ) {
-        Rule* r = *it;
+    for ( set<pair<Rule*, MatchPos>>::const_iterator it = rule_matches.begin(); it != rule_matches.end(); ++it ) {
+        Rule* r = it->first;
+        MatchPos match_end_offset = it->second;

        DBG_LOG(DBG_RULES, "Accepted rule: %s", r->id);

@ -862,6 +867,7 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type, const
                state->matched_by_patterns.push_back(r);
                String* s = new String(data, data_len, false);
                state->matched_text.push_back(s);
+                state->match_offsets.push_back(match_end_offset);
            }

            DBG_LOG(DBG_RULES, "And has not already fired");
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@ -173,6 +173,7 @@ private:
    };

    using matcher_list = PList<Matcher>;
+    using match_offset_list = std::vector<MatchPos>;

    analyzer::Analyzer* analyzer;
    RuleEndpointState* opposite;
@ -182,10 +183,12 @@ private:
    rule_hdr_test_list hdr_tests;

    // The follow tracks which rules for which all patterns have matched,
-    // and in a parallel list the (first instance of the) corresponding
-    // matched text.
+    // in a parallel list the (first instance of the) corresponding
+	// matched text, and in another parallel list the offset of the
+	// end of the last pattern match.
    rule_list matched_by_patterns;
    bstr_list matched_text;
+    match_offset_list match_offsets;

    int payload_size;
    bool is_orig;