owasp-modsecurity
diff --git a/‎CHANGES
+2 b/‎CHANGES
+2
diff --git a/‎Makefile.am
+1 b/‎Makefile.am
+1
diff --git a/‎build/ssdeep.m4
+153 b/‎build/ssdeep.m4
+153
diff --git a/‎configure.ac
+22 b/‎configure.ac
+22
diff --git a/‎examples/multiprocess_c/Makefile.am
+1 b/‎examples/multiprocess_c/Makefile.am
+1
diff --git a/‎examples/reading_logs_via_rule_message/Makefile.am
+1 b/‎examples/reading_logs_via_rule_message/Makefile.am
+1
diff --git a/‎examples/reading_logs_with_offset/Makefile.am
+1 b/‎examples/reading_logs_with_offset/Makefile.am
+1
diff --git a/‎examples/simple_example_using_c/Makefile.am
+1 b/‎examples/simple_example_using_c/Makefile.am
+1
diff --git a/‎examples/using_bodies_in_chunks/Makefile.am
+1 b/‎examples/using_bodies_in_chunks/Makefile.am
+1
diff --git a/‎src/Makefile.am
+2 b/‎src/Makefile.am
+2
diff --git a/‎src/operators/fuzzy_hash.cc
+85-5 b/‎src/operators/fuzzy_hash.cc
+85-5
@@ -2,6 +2,8 @@
 v3.0.????? - ?
 ---------------------------
 
+ - Adds support for @fuzzyHash operator.
+   [Issue #997 - @zimmerle]
  - Fix build on non x86 arch build
    [Issue #1598 - @athmane]
  - Fix memory issue while changing rule target dynamic
 
@@ -284,4 +284,5 @@ TESTS+=test/test-cases/regression/offset-variable.json
 TESTS+=test/test-cases/regression/config-update-target-by-tag.json
 TESTS+=test/test-cases/regression/config-update-target-by-id.json
 TESTS+=test/test-cases/regression/misc-variable-under-quotes.json
+TESTS+=test/test-cases/regression/operator-fuzzyhash.json
 
@@ -0,0 +1,153 @@
+dnl Check for SSDEEP Libraries
+dnl CHECK_SSDEEP(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
+
+
+AC_DEFUN([CHECK_SSDEEP],
+[dnl
+
+# Possible names for the ssdeep library/package (pkg-config)
+SSDEEP_POSSIBLE_LIB_NAMES="fuzzy"
+
+# Possible extensions for the library
+SSDEEP_POSSIBLE_EXTENSIONS="so so0 la sl dll dylib so.0.0.0"
+
+# Possible paths (if pkg-config was not found, proceed with the file lookup)
+SSDEEP_POSSIBLE_PATHS="/usr/lib /usr/local/lib /usr/local/fuzzy /usr/local/libfuzzy /usr/local /opt /usr /usr/lib64 /opt/local"
+
+# Variables to be set by this very own script.
+SSDEEP_CFLAGS=""
+SSDEEP_LDFLAGS=""
+SSDEEP_LDADD=""
+SSDEEP_DISPLAY=""
+
+AC_ARG_WITH(
+    ssdeep,
+    AC_HELP_STRING(
+    [--with-ssdeep=PATH],
+    [Path to ssdeep prefix]
+    )
+)
+
+
+if test "x${with_ssdeep}" == "xno"; then
+    AC_DEFINE(HAVE_SSDEEP, 0, [Support for SSDEEP was disabled by the utilization of --without-ssdeep or --with-ssdeep=no])
+    AC_MSG_NOTICE([Support for SSDEEP was disabled by the utilization of --without-ssdeep or --with-ssdeep=no])
+    SSDEEP_DISABLED=yes
+else
+    if test "x${with_ssdeep}" == "xyes"; then
+        SSDEEP_MANDATORY=yes
+        AC_MSG_NOTICE([SSDEEP support was marked as mandatory by the utilization of --with-ssdeep=yes])
+    else
+        SSDEEP_MANDATORY=no
+    fi
+    for x in ${SSDEEP_POSSIBLE_PATHS}; do
+        CHECK_FOR_SSDEEP_AT(${x})
+        if test -n "${SSDEEP_CFLAGS}"; then
+            break
+        fi
+    done
+fi
+
+
+if test -z "${SSDEEP_CFLAGS}"; then
+    if test -z "${SSDEEP_MANDATORY}"; then
+        if test -z "${SSDEEP_DISABLED}"; then
+            AC_MSG_NOTICE([SSDEEP library was not found])
+            SSDEEP_FOUND=0
+        else
+            SSDEEP_FOUND=2
+        fi
+    else
+        AC_MSG_ERROR([SSDEEP was explicitly referenced but it was not found])
+        SSDEEP_FOUND=-1
+    fi
+else
+
+    if test -z "${SSDEEP_MANDATORY}"; then
+        SSDEEP_FOUND=2
+        AC_MSG_NOTICE([SSDEEP is disabled by default.])
+    else
+        SSDEEP_FOUND=1
+        AC_MSG_NOTICE([using SSDEEP v${SSDEEP_VERSION}])
+        SSDEEP_CFLAGS="-DWITH_SSDEEP ${SSDEEP_CFLAGS}"
+        SSDEEP_DISPLAY="${SSDEEP_LDADD} ${SSDEEP_LDFLAGS}, ${SSDEEP_CFLAGS}"
+        AC_SUBST(SSDEEP_LDFLAGS)
+        AC_SUBST(SSDEEP_LDADD)
+        AC_SUBST(SSDEEP_CFLAGS)
+        AC_SUBST(SSDEEP_DISPLAY)
+    fi
+fi
+
+
+AC_SUBST(SSDEEP_FOUND)
+
+]) # AC_DEFUN [CHECK_SSDEEP]
+
+
+AC_DEFUN([CHECK_FOR_SSDEEP_AT], [
+    path=$1
+    echo "*** LOOKING AT PATH: " ${path}
+    for y in ${SSDEEP_POSSIBLE_EXTENSIONS}; do
+        for z in ${SSDEEP_POSSIBLE_LIB_NAMES}; do
+           if test -e "${path}/${z}.${y}"; then
+               ssdeep_lib_path="${path}/"
+               ssdeep_lib_name="${z}"
+               ssdeep_lib_file="${ssdeep_lib_path}/${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib${z}.${y}"; then
+               ssdeep_lib_path="${path}/"
+               ssdeep_lib_name="${z}"
+               ssdeep_lib_file="${ssdeep_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/lib${z}.${y}"; then
+               ssdeep_lib_path="${path}/lib/"
+               ssdeep_lib_name="${z}"
+               ssdeep_lib_file="${ssdeep_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/x86_64-linux-gnu/lib${z}.${y}"; then
+               ssdeep_lib_path="${path}/lib/x86_64-linux-gnu/"
+               ssdeep_lib_name="${z}"
+               ssdeep_lib_file="${ssdeep_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/i386-linux-gnu/lib${z}.${y}"; then
+               ssdeep_lib_path="${path}/lib/i386-linux-gnu/"
+               ssdeep_lib_name="${z}"
+               ssdeep_lib_file="${ssdeep_lib_path}/lib${z}.${y}"
+               break
+           fi
+       done
+       if test -n "$ssdeep_lib_path"; then
+           break
+       fi
+    done
+    if test -e "${path}/include/fuzzy.h"; then
+        ssdeep_inc_path="${path}/include"
+    elif test -e "${path}/fuzzy.h"; then
+        ssdeep_inc_path="${path}"
+    elif test -e "${path}/include/fuzzy/fuzzy.h"; then
+        ssdeep_inc_path="${path}/include"
+    fi
+
+    if test -n "${ssdeep_lib_path}"; then
+        AC_MSG_NOTICE([SSDEEP library found at: ${ssdeep_lib_file}])
+    fi
+
+    if test -n "${ssdeep_inc_path}"; then
+        AC_MSG_NOTICE([SSDEEP headers found at: ${ssdeep_inc_path}])
+    fi
+
+    if test -n "${ssdeep_lib_path}" -a -n "${ssdeep_inc_path}"; then
+        # TODO: Compile a piece of code to check the version.
+        SSDEEP_CFLAGS="-I${ssdeep_inc_path}"
+        SSDEEP_LDADD="-l${ssdeep_lib_name}"
+        SSDEEP_LDFLAGS="-L${ssdeep_lib_path}"
+        SSDEEP_DISPLAY="${ssdeep_lib_file}, ${ssdeep_inc_path}"
+    fi
+]) # AC_DEFUN [CHECK_FOR_SSDEEP_AT]
+
+
+
@@ -86,6 +86,10 @@ AM_CONDITIONAL([GEOIP_CFLAGS], [test "GEOIP_CFLAGS" != ""])
 PROG_LMDB
 AM_CONDITIONAL([LMDB_CFLAGS], [test "LMDB_CFLAGS" != ""])
 
+# Check for SSDEEP
+CHECK_SSDEEP
+AM_CONDITIONAL([SSDEEP_CFLAGS], [test "SSDEEP_CFLAGS" != ""])
+
 #
 # Check for curl
 #
@@ -483,6 +487,24 @@ if test "x$LIBXML2_FOUND" = "x2"; then
 fi
 
 
+## SSDEEP
+if test "x$SSDEEP_FOUND" = "x0"; then
+    echo "   + SSDEEP                                        ....not found"
+fi
+if test "x$SSDEEP_FOUND" = "x1"; then
+    echo -n "   + SSDEEP                                        ....found "
+    if ! test "x$SSDEEP_VERSION" = "x"; then
+        echo "v${SSDEEP_VERSION}"
+    else
+        echo ""
+    fi
+    echo "      ${SSDEEP_DISPLAY}"
+fi
+if test "x$SSDEEP_FOUND" = "x2"; then
+    echo "   + SSDEEP                                        ....disabled"
+fi
+
+
 echo " "
 echo " Other Options"
 if test $buildTestUtilities = true; then
 
@@ -11,6 +11,7 @@ multi_LDADD = \
 	-lpthread \
 	$(YAJL_LDFLAGS) \
 	$(GEOIP_LDFLAGS) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(GLOBAL_LDADD)
 
 multi_CFLAGS = \
 
@@ -13,6 +13,7 @@ simple_request_LDADD = \
 	$(PCRE_LDADD) \
 	$(YAJL_LDFLAGS) $(YAJL_LDADD) \
 	$(LMDB_LDFLAGS) $(LMDB_LDADD) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(LIBXML2_LDADD) \
 	$(GLOBAL_LDADD)
 
 
@@ -12,6 +12,7 @@ read_LDADD = \
 	$(PCRE_LDADD) \
 	$(YAJL_LDFLAGS) $(YAJL_LDADD) \
 	$(LMDB_LDFLAGS) $(LMDB_LDADD) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(LIBXML2_LDADD) \
 	$(GLOBAL_LDADD)
 
 
@@ -10,6 +10,7 @@ test_LDADD = \
 	-lmodsecurity \
 	$(YAJL_LDFLAGS) \
 	$(GEOIP_LDFLAGS) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(GLOBAL_LDADD)
 
 test_CFLAGS = \
 
@@ -13,6 +13,7 @@ simple_request_LDADD = \
 	$(PCRE_LDADD) \
 	$(YAJL_LDFLAGS) $(YAJL_LDADD) \
 	$(LMDB_LDFLAGS) $(LMDB_LDADD) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(LIBXML2_LDADD) \
 	$(GLOBAL_LDADD)
 
 
@@ -297,6 +297,7 @@ libmodsecurity_la_CPPFLAGS = \
 	$(YAJL_CFLAGS) \
 	$(LMDB_CFLAGS) \
 	$(PCRE_CFLAGS) \
+	$(SSDEEP_CFLAGS) \
 	$(LIBXML2_CFLAGS)
 
 libmodsecurity_la_LIBADD = \
@@ -306,6 +307,7 @@ libmodsecurity_la_LIBADD = \
 	$(PCRE_LDADD) \
 	$(YAJL_LDFLAGS) $(YAJL_LDADD) \
 	$(LMDB_LDFLAGS) $(LMDB_LDADD) \
+	$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
 	$(LIBXML2_LDADD) \
 	../others/libinjection.la \
 	../others/libmbedtls.la
 
@@ -19,16 +19,96 @@
 
 #include "src/operators/operator.h"
 #include "src/macro_expansion.h"
+#include "src/utils/system.h"
 
 namespace modsecurity {
 namespace operators {
 
-bool FuzzyHash::evaluate(Transaction *transaction, const std::string &str) {
-    /**
-     * @todo Implement the operator FuzzyHash.
-     *       Reference: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#fuzzyhash
-     */
+bool FuzzyHash::init(const std::string &param2, std::string *error) {
+#ifdef WITH_SSDEEP
+    std::string digit;
+    std::string file;
+    std::istream *iss;
+    struct fuzzy_hash_chunk *chunk, *t;
+    std::string err;
+
+    auto pos = m_param.find_last_of(' ');
+    if (pos == std::string::npos) {
+        error->assign("Please use @fuzzyHash with filename and value");
+        return false;
+    }
+    digit.append(std::string(m_param, pos+1));
+    file.append(std::string(m_param, 0, pos));
+    try {
+        m_threshold = std::stoi(digit);
+    } catch (...) {
+        error->assign("Expecting a digit, got: " + digit);
+        return false;
+    }
+
+    std::string resource = utils::find_resource(file, param2, &err);
+    iss = new std::ifstream(resource, std::ios::in);
+
+    if (((std::ifstream *)iss)->is_open() == false) {
+        error->assign("Failed to open file: " + m_param + ". " + err);
+        delete iss;
+        return false;
+    }
+
+    for (std::string line; std::getline(*iss, line); ) {
+       chunk = (struct fuzzy_hash_chunk *)calloc(1, sizeof(struct fuzzy_hash_chunk));
+
+        chunk->data = strdup(line.c_str());
+        chunk->next = NULL;
+
+        if (m_head == NULL) {
+            m_head = chunk;
+        } else {
+            t = m_head;
+
+            while (t->next) {
+                t = t->next;
+            }
+
+            t->next = chunk;
+        }
+    }
+
+    delete iss;
     return true;
+#else
+    error->assign("@fuzzyHash: SSDEEP support was not enabled during the compilation.");
+    return false;
+#endif
+}
+
+
+
+bool FuzzyHash::evaluate(Transaction *t, const std::string &str) {
+#ifdef WITH_SSDEEP
+    char result[FUZZY_MAX_RESULT];
+    struct fuzzy_hash_chunk *chunk = m_head;
+
+    if (fuzzy_hash_buf((const unsigned char*)str.c_str(), str.size(), result))
+    {
+        t->debug(4, "Problems generating fuzzy hash");
+        return false;
+    }
+
+    while (chunk != NULL)
+    {
+        int i = fuzzy_compare(chunk->data, result);
+        if (i >= m_threshold)
+        {
+            t->debug(4, "Fuzzy hash: matched " \
+                "with score: " + std::to_string(i) + ".");
+            return true;
+        }
+        chunk = chunk->next;
+    }
+#endif
+    /* No match. */
+    return false;
 }
 
 }  // namespace operators