From fff62b5eb59ffac8901f42c312376ce7704482f4 Mon Sep 17 00:00:00 2001
From: Bradley Kemp <bradley@bradleyjkemp.dev>
Date: Wed, 4 Sep 2024 15:24:52 +0100
Subject: [PATCH 1/3] enable using new bundle evaluator

---
 go.mod            |  7 +++++--
 go.sum            | 44 ++++----------------------------------------
 iok.go            | 21 +++++++++++++++++++++
 urlscanio_test.go | 20 ++++++++++++++++++++
 4 files changed, 50 insertions(+), 42 deletions(-)

diff --git a/go.mod b/go.mod
index 1a3b19b4..2b08122f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,16 +1,19 @@
 module phish.report/IOK
 
-go 1.17
+go 1.21
+
+toolchain go1.22.2
 
 require (
 	github.com/bradleyjkemp/cupaloy/v2 v2.6.0
-	github.com/bradleyjkemp/sigma-go v0.6.4
+	github.com/bradleyjkemp/sigma-go v0.6.6
 	golang.org/x/net v0.17.0
 	golang.org/x/sync v0.3.0
 	phish.report/urlscanio-go v0.0.0-20230915155435-2677d74fc8a2
 )
 
 require (
+	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/PaesslerAG/gval v1.0.0 // indirect
 	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
 	github.com/alecthomas/participle v0.7.1 // indirect
diff --git a/go.sum b/go.sum
index ce05d331..8f8bdbd8 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/BobuSumisu/aho-corasick v1.0.3 h1:uuf+JHwU9CHP2Vx+wAy6jcksJThhJS9ehR8a+4nPE9g=
+github.com/BobuSumisu/aho-corasick v1.0.3/go.mod h1:hm4jLcvZKI2vRF2WDU1N4p/jpWtpOzp3nLmi9AzX/XE=
 github.com/PaesslerAG/gval v1.0.0 h1:GEKnRwkWDdf9dOmKcNrar9EA1bz1z9DqPIO1+iLzhd8=
 github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
 github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
@@ -8,8 +10,8 @@ github.com/alecthomas/participle v0.7.1/go.mod h1:HfdmEuwvr12HXQN44HPWXR0lHmVolV
 github.com/alecthomas/repr v0.0.0-20181024024818-d37bc2a10ba1/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.6.0 h1:knToPYa2xtfg42U3I6punFEjaGFKWQRXJwj0JTv4mTs=
 github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
-github.com/bradleyjkemp/sigma-go v0.6.4 h1:J6Sqwbgv7wsEuP7xbsG8dvTrTc9lhkf5BvYF+gO9vzc=
-github.com/bradleyjkemp/sigma-go v0.6.4/go.mod h1:fHCN8y8cC1l5CYY7oOhPIznHmj/yeGxUvU+vAV7alr4=
+github.com/bradleyjkemp/sigma-go v0.6.6 h1:3TMVFtSSDw1aeiyoTO3BDoOd5VDrsHEOmujPvgnoq8s=
+github.com/bradleyjkemp/sigma-go v0.6.6/go.mod h1:xtOGppg3DSArqCJNBDrczOf++x/RC6v3bV4N6PwDszk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -22,48 +24,10 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/iok.go b/iok.go
index c070fb69..10c64575 100644
--- a/iok.go
+++ b/iok.go
@@ -37,6 +37,19 @@ func GetMatches(input Input) ([]sigma.Rule, error) {
 	return GetMatchesForRules(input, evaluators)
 }
 
+func GetMatchesForRulesBundle(input Input, rules evaluator.RuleEvaluatorBundle) ([]sigma.Rule, error) {
+	matches := []sigma.Rule{}
+	ruleInput := convertInput(input)
+	results, err := rules.Matches(context.Background(), ruleInput)
+	for _, result := range results {
+		if result.Match {
+			matches = append(matches, result.Rule)
+		}
+	}
+
+	return matches, err
+}
+
 func GetMatchesForRules(input Input, rules []*evaluator.RuleEvaluator) ([]sigma.Rule, error) {
 	matches := []sigma.Rule{}
 	ruleInput := convertInput(input)
@@ -96,6 +109,14 @@ func ParseRule(path string, contents []byte) (*evaluator.RuleEvaluator, error) {
 	return evaluator.ForRule(rule, evaluator.WithConfig(config), evaluator.CaseSensitive), nil
 }
 
+func RulesBundle(rules []sigma.Rule) (evaluator.RuleEvaluatorBundle, error) {
+	config, err := sigma.ParseConfig(config)
+	if err != nil {
+		return evaluator.RuleEvaluatorBundle{}, fmt.Errorf("failed to parse config: %w", err)
+	}
+	return evaluator.ForRules(rules, evaluator.WithConfig(config), evaluator.CaseSensitive), nil
+}
+
 func init() {
 	err := fs.WalkDir(indicators, ".", func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() {
diff --git a/urlscanio_test.go b/urlscanio_test.go
index 292e3347..abc02c42 100644
--- a/urlscanio_test.go
+++ b/urlscanio_test.go
@@ -3,6 +3,7 @@ package iok
 import (
 	"context"
 	"github.com/bradleyjkemp/cupaloy/v2"
+	"github.com/bradleyjkemp/sigma-go"
 	"net/http"
 	"sort"
 	"testing"
@@ -33,6 +34,25 @@ func TestInputFromURLScan(t *testing.T) {
 	}
 }
 
+func BenchmarkUrlscanGetMatches(b *testing.B) {
+	b.StopTimer()
+	input, err := InputFromURLScan(context.Background(), "67514436-4198-46c1-8e8b-5ddbc03098f2", http.DefaultClient)
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.StartTimer()
+	var matches []sigma.Rule
+	for i := 0; i < b.N; i++ {
+		matches, err = GetMatches(input)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+	if len(matches) == 0 {
+		b.Fatal(0)
+	}
+}
+
 func sortField(f []string) {
 	sort.Slice(f, func(i, j int) bool {
 		return f[i] < f[j]

From bd4519fea86110c626637cd88c676cbc6bc39a19 Mon Sep 17 00:00:00 2001
From: Bradley Kemp <bradley@bradleyjkemp.dev>
Date: Wed, 4 Sep 2024 15:27:58 +0100
Subject: [PATCH 2/3] plumb through context

---
 iok.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iok.go b/iok.go
index 10c64575..59da42e7 100644
--- a/iok.go
+++ b/iok.go
@@ -37,10 +37,10 @@ func GetMatches(input Input) ([]sigma.Rule, error) {
 	return GetMatchesForRules(input, evaluators)
 }
 
-func GetMatchesForRulesBundle(input Input, rules evaluator.RuleEvaluatorBundle) ([]sigma.Rule, error) {
+func GetMatchesForRulesBundle(ctx context.Context, input Input, rules evaluator.RuleEvaluatorBundle) ([]sigma.Rule, error) {
 	matches := []sigma.Rule{}
 	ruleInput := convertInput(input)
-	results, err := rules.Matches(context.Background(), ruleInput)
+	results, err := rules.Matches(ctx, ruleInput)
 	for _, result := range results {
 		if result.Match {
 			matches = append(matches, result.Rule)

From 6a234df3ab6b8c65b5f5b9a2c45d050708c1fd7d Mon Sep 17 00:00:00 2001
From: Bradley Kemp <bradley@bradleyjkemp.dev>
Date: Thu, 5 Sep 2024 12:04:19 +0100
Subject: [PATCH 3/3] allow passing sigma-go options

---
 iok.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iok.go b/iok.go
index 59da42e7..8c11ff9c 100644
--- a/iok.go
+++ b/iok.go
@@ -109,12 +109,12 @@ func ParseRule(path string, contents []byte) (*evaluator.RuleEvaluator, error) {
 	return evaluator.ForRule(rule, evaluator.WithConfig(config), evaluator.CaseSensitive), nil
 }
 
-func RulesBundle(rules []sigma.Rule) (evaluator.RuleEvaluatorBundle, error) {
+func RulesBundle(rules []sigma.Rule, options ...evaluator.Option) (evaluator.RuleEvaluatorBundle, error) {
 	config, err := sigma.ParseConfig(config)
 	if err != nil {
 		return evaluator.RuleEvaluatorBundle{}, fmt.Errorf("failed to parse config: %w", err)
 	}
-	return evaluator.ForRules(rules, evaluator.WithConfig(config), evaluator.CaseSensitive), nil
+	return evaluator.ForRules(rules, append([]evaluator.Option{evaluator.WithConfig(config), evaluator.CaseSensitive}, options...)...), nil
 }
 
 func init() {