contains operator

core/src/filter/ast.rs

@@ -667,7 +667,7 @@ pub(super) fn is_excl_int(
             BinOp::In => return peer_to < from || peer_from > to,
             _ => {}
         },
-        BinOp::Re | BinOp::En => {}
+        BinOp::Re | BinOp::En | BinOp::Contains => {}
     }
     false
 }
@@ -802,6 +802,7 @@ pub enum BinOp {
     In,
     Re,
     En,
+    Contains,
 }
 
 impl fmt::Display for BinOp {
@@ -816,6 +817,7 @@ impl fmt::Display for BinOp {
             BinOp::In => write!(f, "in"),
             BinOp::Re => write!(f, "matches"),
             BinOp::En => write!(f, "eq"),
+            BinOp::Contains => write!(f, "contains"),
         }
     }
 }

core/src/filter/grammar.pest

@@ -53,7 +53,7 @@ not_op = { "!" | "not" | "NOT" }  // not yet supported, temp placeholder
 // Binary operators
 // ----------------------------------------------------------------------
 bin_op = {
-    eq_op | ne_op | ge_op | le_op | gt_op | lt_op | in_op | re_op | en_op
+    eq_op | ne_op | ge_op | le_op | gt_op | lt_op | in_op | re_op | en_op | contains_op
 }
 
 eq_op = { "=" }
@@ -65,6 +65,7 @@ lt_op = { "<" | "lt" }
 in_op = { "in" }
 re_op = { "~" | "matches" }
 en_op = { "eq" }
+contains_op = { "contains" }
 
 // Miscellaneous
 // ----------------------------------------------------------------------

core/src/filter/parser.rs

@@ -183,6 +183,7 @@ impl FilterParser {
             Rule::in_op => Ok(BinOp::In),
             Rule::re_op => Ok(BinOp::Re),
             Rule::en_op => Ok(BinOp::En),
+            Rule::contains_op => Ok(BinOp::Contains),
             _ => bail!(FilterError::InvalidBinOp(op_str)),
         }
     }

examples/log_ssh/Cargo.toml

@@ -11,4 +11,5 @@ retina-datatypes = { path = "../../datatypes" }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.96"
 lazy_static = "1.4.0"
-regex = "1.7.3"
+regex = "1.7.3"
+memchr = "2.7.4"

examples/log_ssh/src/main.rs

@@ -28,25 +28,34 @@ struct Args {
     outfile: PathBuf,
 }
 
-#[filter("ssh.software_version_ctos ~ '^OpenSSH_[0-9]+\\.[0-9].*$'")]
-fn ssh_cb(ssh: &SshHandshake) {
+#[filter("ssh.protocol_version_ctos = |32 2E 30|")]
+fn ssh_byte_match_cb(ssh: &SshHandshake) {
     if let Ok(serialized) = serde_json::to_string(&ssh) {
         let mut wtr = file.lock().unwrap();
         wtr.write_all(serialized.as_bytes()).unwrap();
         wtr.write_all(b"\n").unwrap();
     }
 }
 
-#[filter("ssh.protocol_version_ctos = |32 2E 30|")]
-fn ssh_byte_match_cb(ssh: &SshHandshake) {
+#[filter("ssh.key_exchange_cookie_stoc contains |15 1A|")]
+fn ssh_contains_bytes_cb(ssh: &SshHandshake) {
+    if let Ok(serialized) = serde_json::to_string(&ssh) {
+        let mut wtr = file.lock().unwrap();
+        wtr.write_all(serialized.as_bytes()).unwrap();
+        wtr.write_all(b"\n").unwrap();
+    }
+}
+
+#[filter("ssh.software_version_ctos contains 'OpenSSH'")]
+fn ssh_contains_str_cb(ssh: &SshHandshake) {
     if let Ok(serialized) = serde_json::to_string(&ssh) {
         let mut wtr = file.lock().unwrap();
         wtr.write_all(serialized.as_bytes()).unwrap();
         wtr.write_all(b"\n").unwrap();
     }
 }
 
-#[retina_main(2)]
+#[retina_main(3)]
 fn main() {
     let args = Args::parse();
     let config = load_config(&args.config);

filtergen/Cargo.toml

@@ -19,4 +19,5 @@ serde_with = "1.6.1"
 serde = { version = "1.0", features = ["derive"] }
 toml = "0.5.11"
 retina-datatypes = { path = "../datatypes" }
-lazy_static = "1.4.0"
+lazy_static = "1.4.0"
+memchr = "2.7.4"

filtergen/src/lib.rs

@@ -151,6 +151,7 @@
 //! | `<`      | `lt`      | Less than                  | `ipv6.payload_length < 500`     |
 //! | `in`     |           | In a range, or in a subnet | `ipv4.src_addr in 1.2.3.4/16`   |
 //! | `~`      | `matches` | Regular expression match   | `tls.sni ~ 'netflix\\.com$'`    |
+//! | `contains` |           | Check if right appears in left | `ssh.key_exchange_cookie_stoc contains \|15 A1\|` |
 //!
 //! **Possible pitfalls involving `!=`**
 //!

filtergen/src/utils.rs

@@ -152,6 +152,19 @@ pub(crate) fn binary_to_tokens(
                     //     Regex::new(#val_lit).unwrap().is_match(#proto.#field())
                     // }
                 }
+                BinOp::Contains => {
+                    let val_lit = syn::LitStr::new(text, Span::call_site());
+
+                    let finder_name = format!("FINDER{}", statics.len());
+                    let finder_ident = Ident::new(&finder_name, Span::call_site());
+                    let lazy_finder = quote! {
+                        static ref #finder_ident: memchr::memmem::Finder<'static> = memchr::memmem::Finder::new(#val_lit.as_bytes());
+                    };
+                    statics.push(lazy_finder);
+                    quote! {
+                        #finder_ident.find(#proto.#field().as_bytes()).is_some()
+                    }
+                }
                 _ => panic!("Invalid binary operation `{}` for value: `{}`.", op, value),
             }
         }
@@ -162,6 +175,19 @@ pub(crate) fn binary_to_tokens(
                     #proto.#field().as_bytes() == #bytes_lit
                 }
             }
+            BinOp::Contains => {
+                let bytes_lit = syn::LitByteStr::new(b, Span::call_site());
+
+                let finder_name = format!("FINDER{}", statics.len());
+                let finder_ident = Ident::new(&finder_name, Span::call_site());
+                let lazy_finder = quote! {
+                    static ref #finder_ident: memchr::memmem::Finder<'static> = memchr::memmem::Finder::new(#bytes_lit);
+                };
+                statics.push(lazy_finder);
+                quote! {
+                    #finder_ident.find(#proto.#field().as_ref()).is_some()
+                }
+            }
             _ => panic!("Invalid binary operation `{}` for value: `{}`.", op, value),
         },
     }