diff --git a/boreal/src/compiler/rule.rs b/boreal/src/compiler/rule.rs index 3df3223f..d86822a3 100644 --- a/boreal/src/compiler/rule.rs +++ b/boreal/src/compiler/rule.rs @@ -3,8 +3,7 @@ use std::collections::HashSet; use std::ops::Range; use std::sync::Arc; -use boreal_parser::rule::Metadata; -use boreal_parser::rule::VariableDeclaration; +use boreal_parser::rule; use super::expression::{compile_bool_expression, Expression, VariableIndex}; use super::external_symbol::ExternalSymbol; @@ -40,6 +39,27 @@ pub(crate) struct Rule { pub(crate) is_private: bool, } +/// A metadata associated with a rule. +#[derive(Debug)] +pub struct Metadata { + /// Index of the name of the metadata in the metadata string table. + pub name: String, + + /// The value of the metadata. + pub value: MetadataValue, +} + +/// Value of a rule metadata. +#[derive(Clone, Debug, PartialEq, Eq)] +pub enum MetadataValue { + /// Bytestring variant. + Bytes(Vec), + /// Integer variant. + Integer(i64), + /// Boolean variant. + Boolean(bool), +} + /// Object used to compile a rule. #[derive(Debug)] pub(super) struct RuleCompiler<'a> { @@ -95,7 +115,7 @@ pub(super) struct RuleCompilerVariable { impl<'a> RuleCompiler<'a> { pub(super) fn new( - rule_variables: &[VariableDeclaration], + rule_variables: &[rule::VariableDeclaration], namespace: &'a Namespace, external_symbols: &'a Vec, params: &'a CompilerParams, @@ -202,7 +222,7 @@ impl<'a> RuleCompiler<'a> { } pub(super) fn compile_rule( - rule: boreal_parser::rule::Rule, + rule: rule::Rule, namespace: &Namespace, namespace_index: usize, external_symbols: &Vec, @@ -247,7 +267,18 @@ pub(super) fn compile_rule( name: rule.name, namespace_index, tags: rule.tags.into_iter().map(|v| v.tag).collect(), - metadatas: rule.metadatas, + metadatas: rule + .metadatas + .into_iter() + .map(|rule::Metadata { name, value }| Metadata { + name, + value: match value { + rule::MetadataValue::Bytes(v) => MetadataValue::Bytes(v), + rule::MetadataValue::Integer(v) => MetadataValue::Integer(v), + rule::MetadataValue::Boolean(v) => MetadataValue::Boolean(v), + }, + }) + .collect(), nb_variables: variables.len(), condition, is_private: rule.is_private, @@ -270,7 +301,7 @@ pub(super) struct CompiledRule { #[cfg(test)] mod tests { - use crate::test_helpers::test_type_traits_non_clonable; + use crate::test_helpers::{test_type_traits, test_type_traits_non_clonable}; use super::*; @@ -307,5 +338,10 @@ mod tests { name: "a".to_owned(), used: false, }); + test_type_traits_non_clonable(Metadata { + name: String::new(), + value: MetadataValue::Boolean(true), + }); + test_type_traits(MetadataValue::Boolean(true)); } } diff --git a/boreal/src/lib.rs b/boreal/src/lib.rs index c55a0b55..39454d8c 100644 --- a/boreal/src/lib.rs +++ b/boreal/src/lib.rs @@ -93,6 +93,7 @@ use tlsh2 as _; pub(crate) mod atoms; mod bitmaps; pub mod compiler; +pub use compiler::rule::{Metadata, MetadataValue}; pub use compiler::Compiler; mod evaluator; mod matcher; @@ -104,9 +105,5 @@ pub use scanner::Scanner; pub mod statistics; mod timeout; -// Re-exports those symbols since they are exposed in the results of a scan. This avoids -// having to depend on boreal-parser simply to match on those metadatas. -pub use boreal_parser::rule::{Metadata, MetadataValue}; - #[cfg(test)] mod test_helpers; diff --git a/boreal/src/scanner/mod.rs b/boreal/src/scanner/mod.rs index 436404bc..1bdee5d9 100644 --- a/boreal/src/scanner/mod.rs +++ b/boreal/src/scanner/mod.rs @@ -9,8 +9,8 @@ use crate::compiler::variable::Variable; use crate::evaluator::{self, evaluate_rule, EvalError}; use crate::memory::{FragmentedMemory, Memory, Region}; use crate::module::{Module, ModuleData, ModuleUserData}; -use crate::statistics; use crate::timeout::TimeoutChecker; +use crate::{statistics, Metadata}; pub use crate::evaluator::variable::StringMatch; @@ -817,7 +817,7 @@ pub struct MatchedRule<'scanner> { pub tags: &'scanner [String], /// Metadata associated with the rule. - pub metadatas: &'scanner [boreal_parser::rule::Metadata], + pub metadatas: &'scanner [Metadata], /// List of matched strings, with details on their matches. pub matches: Vec>,