... | ... |
@@ -411,7 +411,7 @@ int cli_ac_buildtrie(struct cli_matcher *root) |
411 | 411 |
return ac_maketrans(root); |
412 | 412 |
} |
413 | 413 |
|
414 |
-int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering, uint8_t ac_opts) |
|
414 |
+int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering) |
|
415 | 415 |
{ |
416 | 416 |
#ifdef USE_MPOOL |
417 | 417 |
assert(root->mempool && "mempool must be initialized"); |
... | ... |
@@ -432,7 +432,6 @@ int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, ui |
432 | 432 |
|
433 | 433 |
root->ac_mindepth = mindepth; |
434 | 434 |
root->ac_maxdepth = maxdepth; |
435 |
- root->ac_opts = ac_opts; |
|
436 | 435 |
|
437 | 436 |
if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) { |
438 | 437 |
root->filter = mpool_malloc(root->mempool, sizeof(*root->filter)); |
... | ... |
@@ -847,7 +846,7 @@ int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigne |
847 | 847 |
match = 0; \ |
848 | 848 |
} |
849 | 849 |
|
850 |
-inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uint32_t fileoffset, uint32_t length, const struct cli_ac_patt *pattern, uint32_t *end, uint8_t ac_opts) |
|
850 |
+inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uint32_t fileoffset, uint32_t length, const struct cli_ac_patt *pattern, uint32_t *end) |
|
851 | 851 |
{ |
852 | 852 |
uint32_t bp, pstart, match; |
853 | 853 |
uint16_t wc, i, j, specialcnt = pattern->special_pattern; |
... | ... |
@@ -857,17 +856,10 @@ inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uin |
857 | 857 |
if((offset + pattern->length > length) || (pattern->prefix_length > offset)) |
858 | 858 |
return 0; |
859 | 859 |
|
860 |
- if (!pattern->nocase && (ac_opts & AC_OPTION_NOCASE)) { |
|
861 |
- bp = offset; |
|
862 |
- pstart = 0; |
|
863 |
- } |
|
864 |
- else { |
|
865 |
- bp = offset + pattern->depth; |
|
866 |
- pstart = pattern->depth; |
|
867 |
- } |
|
860 |
+ bp = offset + pattern->depth; |
|
868 | 861 |
|
869 | 862 |
match = 1; |
870 |
- for(i = pstart; i < pattern->length && bp < length; i++) { |
|
863 |
+ for(i = pattern->depth; i < pattern->length && bp < length; i++) { |
|
871 | 864 |
AC_MATCH_CHAR(pattern->pattern[i],buffer[bp]); |
872 | 865 |
if(!match) |
873 | 866 |
return 0; |
... | ... |
@@ -1268,10 +1260,7 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v |
1268 | 1268 |
current = root->ac_root; |
1269 | 1269 |
|
1270 | 1270 |
for(i = 0; i < length; i++) { |
1271 |
- if (root->ac_opts & AC_OPTION_NOCASE) |
|
1272 |
- current = current->trans[cli_nocase(buffer[i])]; |
|
1273 |
- else |
|
1274 |
- current = current->trans[buffer[i]]; |
|
1271 |
+ current = current->trans[buffer[i]]; |
|
1275 | 1272 |
|
1276 | 1273 |
if(UNLIKELY(IS_FINAL(current))) { |
1277 | 1274 |
struct cli_ac_patt *faillist = current->fail->list; |
... | ... |
@@ -1303,7 +1292,7 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v |
1303 | 1303 |
} |
1304 | 1304 |
|
1305 | 1305 |
pt = patt; |
1306 |
- if(ac_findmatch(buffer, bp, offset + bp - patt->prefix_length, length, patt, &matchend, root->ac_opts)) { |
|
1306 |
+ if(ac_findmatch(buffer, bp, offset + bp - patt->prefix_length, length, patt, &matchend)) { |
|
1307 | 1307 |
while(pt) { |
1308 | 1308 |
if(pt->partno > mdata->min_partno) |
1309 | 1309 |
break; |
... | ... |
@@ -1576,10 +1565,6 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex |
1576 | 1576 |
while (sigopts[i] != '\0') { |
1577 | 1577 |
switch (sigopts[i]) { |
1578 | 1578 |
case 'i': |
1579 |
- if (!(root->ac_opts & AC_OPTION_NOCASE)) { |
|
1580 |
- cli_errmsg("cli_ac_addsig: Signature for %s using nocase cannot be added to case-sensitive AC trie\n", virname); |
|
1581 |
- return CL_EMALFDB; |
|
1582 |
- } |
|
1583 | 1579 |
nocase = 1; |
1584 | 1580 |
break; |
1585 | 1581 |
default: |
... | ... |
@@ -1896,8 +1881,6 @@ int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hex |
1896 | 1896 |
|
1897 | 1897 |
/* setting nocase match */ |
1898 | 1898 |
if (nocase) { |
1899 |
- new->nocase = 1; |
|
1900 |
- |
|
1901 | 1899 |
for (i = 0; i < new->length; ++i) |
1902 | 1900 |
if ((new->pattern[i] & CLI_MATCH_METADATA) == CLI_MATCH_CHAR) |
1903 | 1901 |
new->pattern[i] += CLI_MATCH_NOCASE; |
... | ... |
@@ -74,7 +74,6 @@ struct cli_ac_patt { |
74 | 74 |
uint32_t offdata[4], offset_min, offset_max; |
75 | 75 |
uint32_t boundary; |
76 | 76 |
uint8_t depth; |
77 |
- uint8_t nocase; |
|
78 | 77 |
}; |
79 | 78 |
|
80 | 79 |
struct cli_ac_node { |
... | ... |
@@ -102,7 +101,7 @@ int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigne |
102 | 102 |
void cli_ac_freedata(struct cli_ac_data *data); |
103 | 103 |
int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, void **customdata, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t offset, cli_file_t ftype, struct cli_matched_type **ftoffset, unsigned int mode, cli_ctx *ctx); |
104 | 104 |
int cli_ac_buildtrie(struct cli_matcher *root); |
105 |
-int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering, uint8_t ac_opts); |
|
105 |
+int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering); |
|
106 | 106 |
int cli_ac_caloff(const struct cli_matcher *root, struct cli_ac_data *data, const struct cli_target_info *info); |
107 | 107 |
void cli_ac_free(struct cli_matcher *root); |
108 | 108 |
int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hexsig, const char *sigopts, uint32_t sigid, uint16_t parts, uint16_t partno, uint16_t rtype, uint16_t type, uint32_t mindist, uint32_t maxdist, const char *offset, const uint32_t *lsigid, unsigned int options); |
... | ... |
@@ -262,9 +262,6 @@ struct cl_engine { |
262 | 262 |
/* Roots table */ |
263 | 263 |
struct cli_matcher **root; |
264 | 264 |
|
265 |
- /* Yara table */ |
|
266 |
- struct cli_matcher *yroot; |
|
267 |
- |
|
268 | 265 |
/* hash matcher for standard MD5 sigs */ |
269 | 266 |
struct cli_matcher *hm_hdb; |
270 | 267 |
/* hash matcher for MD5 sigs for PE sections */ |
... | ... |
@@ -442,7 +442,7 @@ int cli_initroots(struct cl_engine *engine, unsigned int options) |
442 | 442 |
root->ac_only = 1; |
443 | 443 |
|
444 | 444 |
cli_dbgmsg("Initialising AC pattern matcher of root[%d]\n", i); |
445 |
- if((ret = cli_ac_init(root, engine->ac_mindepth, engine->ac_maxdepth, engine->dconf->other&OTHER_CONF_PREFILTERING, 0))) { |
|
445 |
+ if((ret = cli_ac_init(root, engine->ac_mindepth, engine->ac_maxdepth, engine->dconf->other&OTHER_CONF_PREFILTERING))) { |
|
446 | 446 |
/* no need to free previously allocated memory here */ |
447 | 447 |
cli_errmsg("cli_initroots: Can't initialise AC pattern matcher\n"); |
448 | 448 |
return ret; |
... | ... |
@@ -270,7 +270,7 @@ int init_regex_list(struct regex_matcher* matcher, uint8_t dconf_prefiltering) |
270 | 270 |
matcher->suffixes.mempool = mp; |
271 | 271 |
assert(mp && "mempool must be initialized"); |
272 | 272 |
#endif |
273 |
- if((rc = cli_ac_init(&matcher->suffixes, 2, 32, dconf_prefiltering, 0))) { |
|
273 |
+ if((rc = cli_ac_init(&matcher->suffixes, 2, 32, dconf_prefiltering))) { |
|
274 | 274 |
return rc; |
275 | 275 |
} |
276 | 276 |
#ifdef USE_MPOOL |
... | ... |
@@ -94,7 +94,7 @@ START_TEST (test_ac_scanbuff) { |
94 | 94 |
#ifdef USE_MPOOL |
95 | 95 |
root->mempool = mpool_create(); |
96 | 96 |
#endif |
97 |
- ret = cli_ac_init(root, CLI_DEFAULT_AC_MINDEPTH, CLI_DEFAULT_AC_MAXDEPTH, 1, 0); |
|
97 |
+ ret = cli_ac_init(root, CLI_DEFAULT_AC_MINDEPTH, CLI_DEFAULT_AC_MAXDEPTH, 1); |
|
98 | 98 |
fail_unless(ret == CL_SUCCESS, "cli_ac_init() failed"); |
99 | 99 |
|
100 | 100 |
|
... | ... |
@@ -164,7 +164,7 @@ START_TEST (test_ac_scanbuff_allscan) { |
164 | 164 |
#ifdef USE_MPOOL |
165 | 165 |
root->mempool = mpool_create(); |
166 | 166 |
#endif |
167 |
- ret = cli_ac_init(root, CLI_DEFAULT_AC_MINDEPTH, CLI_DEFAULT_AC_MAXDEPTH, 1, 0); |
|
167 |
+ ret = cli_ac_init(root, CLI_DEFAULT_AC_MINDEPTH, CLI_DEFAULT_AC_MAXDEPTH, 1); |
|
168 | 168 |
fail_unless(ret == CL_SUCCESS, "cli_ac_init() failed"); |
169 | 169 |
|
170 | 170 |
|