Use a separate func for matching for filesystem signatures

Author: kylos101

components/ee/agent-smith/pkg/classifier/filesystem_test.go

@@ -5,15 +5,14 @@
 package classifier
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
 )
 
 func TestSignatureMatchClassifier_MatchesFile(t *testing.T) {
 	// Create temporary directory for test files
-	tempDir, err := ioutil.TempDir("", "agent-smith-test")
+	tempDir, err := os.MkdirTemp("", "agent-smith-test")
 	if err != nil {
 		t.Fatalf("failed to create temp dir: %v", err)
 	}
@@ -30,7 +29,7 @@ func TestSignatureMatchClassifier_MatchesFile(t *testing.T) {
 
 	for filename, content := range testFiles {
 		filePath := filepath.Join(tempDir, filename)
-		if err := ioutil.WriteFile(filePath, content, 0644); err != nil {
+		if err := os.WriteFile(filePath, content, 0644); err != nil {
 			t.Fatalf("failed to create test file %s: %v", filename, err)
 		}
 	}
@@ -251,14 +250,14 @@ func TestSignatureMatchClassifier_ContentMatching(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Create a temporary file for testing
-			tempDir, err := ioutil.TempDir("", "agent-smith-content-test")
+			tempDir, err := os.MkdirTemp("", "agent-smith-content-test")
 			if err != nil {
 				t.Fatalf("failed to create temp dir: %v", err)
 			}
 			defer os.RemoveAll(tempDir)
 
 			filePath := filepath.Join(tempDir, tt.filename)
-			if err := ioutil.WriteFile(filePath, []byte(tt.content), 0644); err != nil {
+			if err := os.WriteFile(filePath, []byte(tt.content), 0644); err != nil {
 				t.Fatalf("failed to create test file: %v", err)
 			}
 

components/ee/agent-smith/pkg/classifier/sinature.go

@@ -43,7 +43,9 @@ type Signature struct {
 	// Name is a description of the signature
 	Name string `json:"name,omitempty"`
 
-	// Domain describe where to look for the file to search for the signature (default: "filesystem")
+	// Domain describe where to look for the file to search for the signature
+	// "process" is dominant
+	// if domain is empty, we set "filesystem"
 	Domain Domain `json:"domain,omitempty"`
 
 	// The kind of file this signature can apply to
@@ -149,6 +151,11 @@ func (s *Signature) Matches(in *SignatureReadCache) (bool, error) {
 		}
 	}
 
+	// necessary to do a string match for text files
+	if s.Domain == DomainFileSystem {
+		return s.matchAnyFile(in)
+	}
+
 	// match the specific kind
 	switch s.Kind {
 	case ObjectELFSymbols:
@@ -282,6 +289,33 @@ func (s *Signature) matchAny(in *SignatureReadCache) (bool, error) {
 		pos += int64(n)
 
 		// TODO: deal with buffer edges (i.e. pattern wrapping around the buffer edge)
+		if bytes.Contains(sub, s.Pattern) {
+			return true, nil
+		}
+
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return false, xerrors.Errorf("cannot read stream: %w", err)
+		}
+		if s.Slice.End > 0 && pos >= s.Slice.End {
+			break
+		}
+	}
+
+	return false, nil
+}
+
+// matchAny matches a signature against a text file
+func (s *Signature) matchAnyFile(in *SignatureReadCache) (bool, error) {
+	buffer := make([]byte, 8096)
+	pos := s.Slice.Start
+	for {
+		n, err := in.Reader.ReadAt(buffer, pos)
+		sub := buffer[0:n]
+		pos += int64(n)
+
 		match, matchErr := s.matches(sub)
 		if matchErr != nil {
 			return false, matchErr