Merge pull request #1398 from Andrew15-5/empty-host

gustavo-iniguez-goya · web-flow · commit faeed356ab96 · 2025-07-19T00:09:55.000+02:00
Add ability to match bare IP requests (empty host name)
diff --git a/daemon/rule/operator.go b/daemon/rule/operator.go
@@ -111,8 +111,16 @@ func (o *Operator) Compile() error {
 		return nil
 	}
 
-	// the only operator Type that can have the Data field empty is List.
-	if o.Type != List && o.Operand != OpTrue && o.Data == "" {
+	// The only operator Type that can have the Data field empty are:
+	// Simple, Regexp, List.
+	// For List, because it uses List field and not Data field.
+	// For Simple and Regexp, because it can be useful to match on some
+	// operands that can in practice be equal to an empty string. This is the
+	// case, for example, when a request has a "bare" IP instead of a domain
+	// name, therefore DstHost field will be empty. You can match empty string
+	// with simple comparison or the "^$" regexp pattern.
+	if !(o.Type == Simple || o.Type == Regexp || o.Type == List) &&
+		o.Operand != OpTrue && o.Data == "" {
 		return fmt.Errorf("Operand %s cannot be empty (%s)", o.Operand, o.Type)
 	}
 
@@ -343,7 +351,7 @@ func (o *Operator) Match(con *conman.Connection, hasChecksums bool) bool {
 		return false
 	} else if o.Operand == OpProcessCmd {
 		return o.cb(strings.Join(con.Process.Args, " "))
-	} else if o.Operand == OpDstHost && con.DstHost != "" {
+	} else if o.Operand == OpDstHost {
 		return o.cb(con.DstHost)
 	} else if o.Operand == OpDstIP {
 		return o.cb(con.DstIP.String())
diff --git a/daemon/rule/operator_test.go b/daemon/rule/operator_test.go
@@ -740,3 +740,47 @@ func TestRaceNewOperatorListsDomainsRegexp(t *testing.T) {
 
 	restoreConnection()
 }
+
+func TestNewOperatorRegexpBareIpNoHostName(t *testing.T) {
+	t.Log("Test NewOperator() regex bare IP (no host name)")
+	var dummyList []Operator
+
+	conn.DstHost = ""
+
+	opRE, err := NewOperator(Regexp, true, OpDstHost, "^$", dummyList)
+	if err != nil {
+		t.Error("NewOperator regexp.case-sensitive.err should be nil: ", err)
+		t.Fail()
+	}
+	if err = opRE.Compile(); err != nil {
+		t.Fail()
+	}
+	if opRE.Match(conn, false) == false {
+		t.Error("Test NewOperator() RE sensitive match:", conn.DstHost)
+		t.Fail()
+	}
+
+	restoreConnection()
+}
+
+func TestNewOperatorSimpleBareIpNoHostName(t *testing.T) {
+	t.Log("Test NewOperator() simple bare IP (no host name)")
+	var dummyList []Operator
+
+	conn.DstHost = ""
+
+	opSimple, err := NewOperator(Simple, true, OpDstHost, "", dummyList)
+	if err != nil {
+		t.Error("NewOperator simple.case-sensitive.err should be nil: ", err)
+		t.Fail()
+	}
+	if err = opSimple.Compile(); err != nil {
+		t.Fail()
+	}
+	if opSimple.Match(conn, false) == false {
+		t.Error("Test NewOperator() simple sensitive match:", conn.DstHost)
+		t.Fail()
+	}
+
+	restoreConnection()
+}
