int matches_blob(
char* rule,
uint8_t* blob,
size_t len)
{
if (blob == NULL)
{
blob = (uint8_t*) "dummy";
len = 5;
}
YR_RULES* rules = compile_rule(rule);
if (rules == NULL)
{
fprintf(stderr, "failed to compile rule << %s >>: %s\n", rule, compile_error);
exit(EXIT_FAILURE);
}
int matches = 0;
int scan_result = yr_rules_scan_mem(
rules, blob, len, 0, count_matches, &matches, 0);
if (scan_result != ERROR_SUCCESS)
{
fprintf(stderr, "yr_rules_scan_mem: error\n");
exit(EXIT_FAILURE);
}
yr_rules_destroy(rules);
return matches;
}
static void use_default_rules(RIP_MANAGER_INFO * rmi)
{
Parse_Rule *rulep;
/* set global rule list to default */
rmi->parse_rules = (Parse_Rule *) malloc(sizeof(m_default_rule_list));
memcpy(rmi->parse_rules, m_default_rule_list, sizeof(m_default_rule_list));
/* compile regular expressions */
for (rulep = rmi->parse_rules; rulep->cmd; rulep++) {
compile_rule(rulep, rulep->match);
}
}
static nfagrammar *
metacompile(node *n)
{
nfagrammar *gr;
int i;
if (Py_DebugFlag)
printf("Compiling (meta-) parse tree into NFA grammar\n");
gr = newnfagrammar();
REQ(n, MSTART);
i = n->n_nchildren - 1; /* Last child is ENDMARKER */
n = n->n_child;
for (; --i >= 0; n++) {
if (n->n_type != NEWLINE)
compile_rule(gr, n);
}
return gr;
}
/* This mega-function reads in the rules file, and loads
all the rules into the rmi->parse_rules data structure */
void init_metadata_parser(RIP_MANAGER_INFO * rmi, char *rules_file)
{
FILE *fp;
int ri; /* Rule index */
int rn; /* Number of rules allocated */
if (!rules_file || !*rules_file) {
use_default_rules(rmi);
return;
}
fp = fopen(rules_file, "r");
if (!fp) {
use_default_rules(rmi);
return;
}
rmi->parse_rules = 0;
ri = rn = 0;
while (1) {
char rule_buf[MAX_RULE_SIZE];
char match_buf[MAX_RULE_SIZE];
char subst_buf[MAX_RULE_SIZE];
mchar w_match_buf[MAX_RULE_SIZE];
mchar w_subst_buf[MAX_RULE_SIZE];
char *rbp;
char *rp;
int got_command;
int rc;
/* Allocate memory for rule, if necessary. */
/* If there are no more rules in the file, */
/* this rule will become the sentinel null rule */
if (ri + 1 != rn) {
rmi->parse_rules = realloc(rmi->parse_rules, (ri + 1) * sizeof(Parse_Rule));
memset(&rmi->parse_rules[ri], 0, sizeof(Parse_Rule));
rn = ri + 1;
}
/* Get next line from file */
rp = fgets(rule_buf, 2048, fp);
if (!rp)
break;
/* Skip leading whitespace */
rbp = rule_buf;
while (*rbp && isspace(*rbp))
rbp++;
if (!*rbp)
continue;
/* Get command */
got_command = 0;
switch (*rbp++) {
case 'm':
got_command = 1;
rmi->parse_rules[ri].cmd = PARSERULE_CMD_MATCH;
break;
case 's':
got_command = 1;
rmi->parse_rules[ri].cmd = PARSERULE_CMD_SUBST;
break;
case '#':
got_command = 0;
break;
default:
got_command = 0;
printf("Warning: malformed command in rules file:\n%s\n", rule_buf);
break;
}
if (!got_command)
continue;
/* Skip past fwd slash */
if (*rbp++ != '/') {
printf("Warning: malformed command in rules file:\n%s\n", rule_buf);
continue;
}
/* Parse match string */
rbp = parse_escaped_string(match_buf, rbp);
debug_printf("match_buf=%s\n", match_buf);
if (!rbp) {
printf("Warning: malformed command in rules file:\n%s\n", rule_buf);
continue;
}
/* Parse subst string */
if (rmi->parse_rules[ri].cmd == PARSERULE_CMD_SUBST) {
rbp = parse_escaped_string(subst_buf, rbp);
debug_printf("subst_buf=%s\n", subst_buf);
if (!rbp) {
printf("Warning: malformed command in rules file:\n%s\n", rule_buf);
continue;
}
}
/* Parse flags */
rc = parse_flags(&rmi->parse_rules[ri], rbp);
if (!rc) {
printf("Warning: malformed command in rules file:\n%s\n", rule_buf);
continue;
}
/* Compile the rule */
debug_printf("Compiling the rule\n");
gstring_from_string(rmi, w_match_buf, MAX_RULE_SIZE, match_buf, CODESET_UTF8);
if (!compile_rule(&rmi->parse_rules[ri], w_match_buf)) {
printf("Warning: malformed regular expression:\n%s\n", match_buf);
continue;
}
/* Copy rule strings */
debug_printf("Copying rule string (1)\n");
debug_mprintf(m_("String is ") m_S m_("\n"), w_match_buf);
rmi->parse_rules[ri].match = mstrdup(w_match_buf);
debug_printf("Copying rule string (2)\n");
if (rmi->parse_rules[ri].cmd == PARSERULE_CMD_SUBST) {
debug_printf("Copying rule string (3)\n");
gstring_from_string(rmi, w_subst_buf, MAX_RULE_SIZE, subst_buf, CODESET_UTF8);
debug_printf("Copying rule string (4)\n");
rmi->parse_rules[ri].subst = mstrdup(w_subst_buf);
debug_printf("Copying rule string (5)\n");
}
debug_printf("End of loop\n");
ri++;
}
fclose(fp);
}