@@ -1,3 +1,7 @@

+Fri Oct 16 10:11:56 CEST 2009 (tk)

+----------------------------------

+ * sigtool: add support for --find-sigs (part of bb#1246)

+

 Fri Oct 16 01:46:28 CEST 2009 (acab)

 ------------------------------------

  * win32: res_query compatible interface

@@ -69,8 +69,11 @@ Execute update script FILE in current directory.

 \fB\-\-verify\-cdiff=FILE, \-r FILE\fR

 Verify DIFF against CVD/INCDIR.

 .TP 

-\fB\-l, \-\-list\-sigs\fR

-List signature names.

+\fB\-l[FILE], \-\-list\-sigs[=FILE]\fR

+List all signature names from the local database directory (default) or from FILE.

+.TP 

+\fB\-fREGEX, \-\-find\-sigs=REGEX\fR

+Find and display signatures from the local database directory which match the given REGEX. The whole signature body (name, hex string, etc.) is checked.

 .SH "EXAMPLES"

 .LP 

 .TP 

@@ -106,6 +106,7 @@ const struct clam_option clam_options[] = {

     { NULL, "unpack-current", 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" },

     { NULL, "info", 'i', TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" },

     { NULL, "list-sigs", 'l', TYPE_STRING, NULL, -1, DATADIR, 0, OPT_SIGTOOL, "", "" },

+    { NULL, "find-sigs", 'f', TYPE_STRING, NULL, -1, DATADIR, FLAG_REQUIRED, OPT_SIGTOOL, "", "" },

     { NULL, "vba", 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" },

     { NULL, "vba-hex", 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" },

     { NULL, "diff", 'd', TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" },

@@ -980,15 +980,14 @@ static int cvdinfo(const struct optstruct *opts)

     return 0;

 }

-static int listdb(const char *filename);

+static int listdb(const char *filename, const regex_t *regex);

-static int listdir(const char *dirname)

+static int listdir(const char *dirname, const regex_t *regex)

 {

 	DIR *dd;

 	struct dirent *dent;

 	char *dbfile;

-

     if((dd = opendir(dirname)) == NULL) {

         mprintf("!listdir: Can't open directory %s\n", dirname);

         return -1;

@@ -1021,7 +1020,7 @@ static int listdir(const char *dirname)

 		}

 		sprintf(dbfile, "%s"PATHSEP"%s", dirname, dent->d_name);

-		if(listdb(dbfile) == -1) {

+		if(listdb(dbfile, regex) == -1) {

 		    mprintf("!listdb: Error listing database %s\n", dbfile);

 		    free(dbfile);

 		    closedir(dd);

@@ -1036,7 +1035,7 @@ static int listdir(const char *dirname)

     return 0;

 }

-static int listdb(const char *filename)

+static int listdb(const char *filename, const regex_t *regex)

 {

 	FILE *fh;

 	char *buffer, *pt, *start, *dir;

@@ -1086,7 +1085,7 @@ static int listdb(const char *filename)

 	}

 	/* list extracted directory */

-	if(listdir(dir) == -1) {

+	if(listdir(dir, regex) == -1) {

 	    mprintf("!listdb: Can't list directory %s\n", filename);

 	    cli_rmdirs(dir);

 	    free(dir);

@@ -1102,6 +1101,11 @@ static int listdb(const char *filename)

     if(cli_strbcasestr(filename, ".db")) { /* old style database */

 	while(fgets(buffer, FILEBUFF, fh)) {

+	    if(regex) {

+		if(!cli_regexec(regex, buffer, 0, NULL, 0))

+		    mprintf("%s", buffer);

+		continue;

+	    }

 	    line++;

 	    pt = strchr(buffer, '=');

 	    if(!pt) {

@@ -1123,6 +1127,11 @@ static int listdb(const char *filename)

     } else if(cli_strbcasestr(filename, ".hdb") || cli_strbcasestr(filename, ".hdu") || cli_strbcasestr(filename, ".mdb") || cli_strbcasestr(filename, ".mdu")) { /* hash database */

 	while(fgets(buffer, FILEBUFF, fh)) {

+	    if(regex) {

+		if(!cli_regexec(regex, buffer, 0, NULL, 0))

+		    mprintf("%s", buffer);

+		continue;

+	    }

 	    line++;

 	    cli_chomp(buffer);

 	    start = cli_strtok(buffer, 2, ":");

@@ -1144,6 +1153,11 @@ static int listdb(const char *filename)

     } else if(cli_strbcasestr(filename, ".ndb") || cli_strbcasestr(filename, ".ndu") || cli_strbcasestr(filename, ".ldb") || cli_strbcasestr(filename, ".ldu") || cli_strbcasestr(filename, ".sdb") || cli_strbcasestr(filename, ".zmd") || cli_strbcasestr(filename, ".rmd")) {

 	while(fgets(buffer, FILEBUFF, fh)) {

+	    if(regex) {

+		if(!cli_regexec(regex, buffer, 0, NULL, 0))

+		    mprintf("%s", buffer);

+		continue;

+	    }

 	    line++;

 	    cli_chomp(buffer);

@@ -1171,31 +1185,45 @@ static int listdb(const char *filename)

     return 0;

 }

-static int listsigs(const struct optstruct *opts)

+static int listsigs(const struct optstruct *opts, int mode)

 {

 	int ret;

 	const char *name;

 	char *dbdir;

 	struct stat sb;

+	regex_t reg;

-    name = optget(opts, "list-sigs")->strarg;

-    if(stat(name, &sb) == -1) {

-	mprintf("--list-sigs: Can't get status of %s\n", name);

-	return -1;

-    }

+    if(mode == 0) {

+	name = optget(opts, "list-sigs")->strarg;

+	if(stat(name, &sb) == -1) {

+	    mprintf("--list-sigs: Can't get status of %s\n", name);

+	    return -1;

+	}

-    mprintf_stdout = 1;

-    if(S_ISDIR(sb.st_mode)) {

-	if(!strcmp(name, DATADIR)) {

-	    dbdir = freshdbdir();

-	    ret = listdir(dbdir);

-	    free(dbdir);

+	mprintf_stdout = 1;

+	if(S_ISDIR(sb.st_mode)) {

+	    if(!strcmp(name, DATADIR)) {

+		dbdir = freshdbdir();

+		ret = listdir(dbdir, NULL);

+		free(dbdir);

+	    } else {

+		ret = listdir(name, NULL);

+	    }

 	} else {

-	    ret = listdir(name);

+	    ret = listdb(name, NULL);

 	}

+

     } else {

-	ret = listdb(name);

+	if(cli_regcomp(&reg, optget(opts, "find-sigs")->strarg, REG_EXTENDED | REG_NOSUB) != 0) {

+	    mprintf("--find-sigs: Can't compile regex\n");

+	    return -1;

+	}

+	mprintf_stdout = 1;

+	dbdir = freshdbdir();

+	ret = listdir(dbdir, &reg);

+	free(dbdir);

+	cli_regfree(&reg);

     }

     return ret;

@@ -1798,6 +1826,7 @@ static void help(void)

     mprintf("    --unpack=FILE          -u FILE         Unpack a CVD/CLD file\n");

     mprintf("    --unpack-current=SHORTNAME             Unpack local CVD/CLD into cwd\n");

     mprintf("    --list-sigs[=FILE]     -l[FILE]        List signature names\n");

+    mprintf("    --find-sigs=REGEX      -fREGEX         Find signatures matching REGEX\n");

     mprintf("    --vba=FILE                             Extract VBA/Word6 macro code\n");

     mprintf("    --vba-hex=FILE                         Extract Word6 macro code with hex values\n");

     mprintf("    --diff=OLD NEW         -d OLD NEW      Create diff for OLD and NEW CVDs\n");

@@ -1860,7 +1889,9 @@ int main(int argc, char **argv)

     else if(optget(opts, "info")->enabled)

 	ret = cvdinfo(opts);

     else if(optget(opts, "list-sigs")->active)

-	ret = listsigs(opts);

+	ret = listsigs(opts, 0);

+    else if(optget(opts, "find-sigs")->active)

+	ret = listsigs(opts, 1);

     else if(optget(opts, "vba")->enabled || optget(opts, "vba-hex")->enabled)

 	ret = vbadump(opts);

     else if(optget(opts, "diff")->enabled)