Implement payload contains filtering

honeynet · Jul 2, 2023 · ba9a054 · ba9a054
1 parent ed47161
commit ba9a054
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 2 deletions.
diff --git a/src/__tests__/dsl.test.ts b/src/__tests__/dsl.test.ts
@@ -52,4 +52,10 @@ describe('parseDSL', () => {
         expect(sx.lexErrors).toHaveLength(0);
         expect(sx.parseErrors.length).toBeGreaterThanOrEqual(1);
     });
+
+    test('parsing payload', () => {
+        let sx = parseDSL('payload contains "something"');
+        expect(sx.lexErrors).toHaveLength(0);
+        expect(sx.parseErrors).toHaveLength(0);
+    });
 });
diff --git a/src/dsl.ts b/src/dsl.ts
@@ -20,6 +20,11 @@ const and = createToken({ name: 'AND', pattern: /and/, label: 'and' });
 const or = createToken({ name: 'OR', pattern: /or/, label: 'or' });
 const not = createToken({ name: 'NOT', pattern: /not/, label: 'not' });
 
+// Search and match operators
+const contains = createToken({ name: 'CONTAINS', pattern: /contains/, label: 'contains' });
+const matches = createToken({ name: 'MATCHES', pattern: /matches/, label: 'matches' });
+const matchesSmb = createToken({ name: 'MATCHES_SMB', pattern: /~/, label: 'matches_smb' });
+
 // Literals
 const port = createToken({ name: 'PORT', pattern: /(?:0|[1-9]\d*)/ });
 const ipv4 = createToken({
@@ -34,6 +39,9 @@ const ipDst = createToken({ name: 'IP_DST', pattern: /ip\.dst/ });
 const tcpPort = createToken({ name: 'TCP_PORT', pattern: /tcp\.port/ });
 const udpPort = createToken({ name: 'UDP_PORT', pattern: /udp\.port/ });
 
+const payload = createToken({ name: 'PAYLOAD', pattern: /payload/ });
+const string = createToken({ name: 'STRING', pattern: /\"[a-zA-Z0-9]+\"/ });
+
 const whiteSpace = createToken({
     name: 'WhiteSpace',
     pattern: /\s+/,
@@ -51,13 +59,20 @@ let allTokens = [
     or,
     not,
 
+    contains,
+    matches,
+    matchesSmb,
+
     ipv4,
     port,
 
     ipSrc,
     ipDst,
     tcpPort,
     udpPort,
+
+    payload,
+    string,
 ];
 
 let queryLexer = new Lexer(allTokens);
@@ -120,6 +135,18 @@ class QueryParser extends CstParser {
         ]);
     });
 
+    private searchClause = this.RULE('searchClause', () => {
+        this.OR([
+            {
+                ALT: () => {
+                    this.CONSUME(payload);
+                    this.CONSUME(contains);
+                    this.CONSUME(string);
+                },
+            },
+        ]);
+    });
+
     private portItemClause = this.RULE('portItemClause', () => {
         this.OR([
             {
@@ -166,6 +193,11 @@ class QueryParser extends CstParser {
                     this.CONSUME(ipv4);
                 },
             },
+            {
+                ALT: () => {
+                    this.SUBRULE(this.searchClause);
+                },
+            },
         ]);
     });
 

diff --git a/src/eventFilter.ts b/src/eventFilter.ts
@@ -57,6 +57,12 @@ function filterByBooleanClause(event: Event, booleanClauseCstNode: BooleanClause
         } else {
             throw new Error('Unexpected missing portItemClause');
         }
+    } else if (children.searchClause) {
+        let payloadString = children.searchClause[0].children.STRING[0].image.toLowerCase();
+        let trimmedString = payloadString.substring(1, payloadString.length - 1);
+
+        console.log(payloadString.length);
+        return event.payload.toLowerCase().includes(trimmedString);
     } else {
         throw new Error('Unexpected booleanClauseCstNode');
     }

diff --git a/src/generated/chevrotain_dts.ts b/src/generated/chevrotain_dts.ts
@@ -35,6 +35,17 @@ export type BooleanClauseCstChildren = {
     binaryClause?: BinaryClauseCstNode[];
 };
 
+export interface SearchClauseCstNode extends CstNode {
+    name: 'searchClause';
+    children: SearchClauseCstChildren;
+}
+
+export type SearchClauseCstChildren = {
+    PAYLOAD?: IToken[];
+    CONTAINS?: IToken[];
+    STRING?: IToken[];
+};
+
 export interface PortItemClauseCstNode extends CstNode {
     name: 'portItemClause';
     children: PortItemClauseCstChildren;
@@ -66,6 +77,7 @@ export type BinaryClauseCstChildren = {
     PORT?: IToken[];
     ipItemClause?: IpItemClauseCstNode[];
     IPV4?: IToken[];
+    searchClause?: SearchClauseCstNode[];
 };
 
 export interface BinaryOperatorCstNode extends CstNode {
@@ -84,6 +96,7 @@ export interface ICstNodeVisitor<IN, OUT> extends ICstVisitor<IN, OUT> {
     query(children: QueryCstChildren, param?: IN): OUT;
     booleanSuffixClause(children: BooleanSuffixClauseCstChildren, param?: IN): OUT;
     booleanClause(children: BooleanClauseCstChildren, param?: IN): OUT;
+    searchClause(children: SearchClauseCstChildren, param?: IN): OUT;
     portItemClause(children: PortItemClauseCstChildren, param?: IN): OUT;
     ipItemClause(children: IpItemClauseCstChildren, param?: IN): OUT;
     binaryClause(children: BinaryClauseCstChildren, param?: IN): OUT;

diff --git a/src/syntax.md b/src/syntax.md
@@ -7,14 +7,17 @@ initial query
 query
    : booleanClause booleanSuffixClause || "NOT" query
 
-booleaSuffixClause:
+searchclause
+   : payload searchOperator string
+
+booleanSuffixClause:
    emptyString || OR query || AND query
 
 booleanClause
    : binaryClause || unaryClause
 
 binaryClause
-   : portItemClause binaryOperator integer || ipItemClause binaryOperator ipv4
+   : portItemClause binaryOperator integer || ipItemClause binaryOperator ipv4 || searchClause
 
 binaryOperator
    : "eq" || "==" || "ne" || "!="
@@ -30,6 +33,18 @@ integer:
 
 ipv4:
    : regex([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
+
+searchClause: 
+   : payload searchOperator string
+
+searchOperators: 
+   "contains" || "matches" || "~"
+
+payload:
+   : "payload"
+
+string:
+   : regex([\S]+)
 ```