예제 #1
0
def suffix_reverse_match_prepare_collection(suffix_collection, separator=""):
    '''
    Prepare a collection of strings for efficient suffix matching.
    If specified, the separator is also required before the suffix.
    For example, domain suffixes use "." as a separator between components.

    Returns an object that can be passed to suffix_match().
    This object must be treated as opaque and read-only.
    '''
    assert suffix_collection is not None
    assert separator is not None
    # A binary search is efficient, even if it does double the RAM
    # requirement. And it's unlikely we could get rid of all the references to
    # the strings in the collection after reversing them, anyway.

    suffix_obj = suffix_reverse_match_collate_collection(
        suffix_collection, separator)
    # This takes about 20 seconds for the Alexa Top 1 million, and only finds
    # 239 duplicates. So maybe it's not worth doing.
    #suffix_match_uniquify_collection(suffix_obj, separator)

    # the encoded json measures transmission size, not RAM size
    logging.info("Suffix match prepared {} items ({})".format(
        len(suffix_obj), format_bytes(len(json_serialise(suffix_obj)))))

    return suffix_obj
예제 #2
0
def exact_match_prepare_collection(exact_collection,
                                   existing_exacts=None,
                                   validate=True):
    '''
    Prepare a hashable object collection for efficient exact matching.
    If the objects in the collection are strings, lowercases them.

    existing_exacts is a list of previously prepared collections.

    If existing_exacts is not None, append the new collection to
    existing_exacts, as well as returning the prepared collection.

    If multiple lists are prepared using the same existing_exacts, then
    the final lists are disjoint. Any duplicate items are ignored, and a
    warning is logged. (An item that appears in multiple input lists is
    output in the earliest list it appears in.)

    If validate is True, checks that exact_match() returns True for each
    item in exact_collection.

    Returns an object that can be passed to exact_match().
    This object must be treated as opaque and read-only.
    '''
    assert exact_collection is not None
    # Set matching uses a hash table, so it's more efficient
    exact_collection_lower = [
        lower_if_hasattr(obj) for obj in exact_collection
    ]
    exact_set = frozenset(exact_collection_lower)
    # Log a message if there were any duplicates
    # Finding each duplicate takes a lot longer
    if len(exact_collection) != len(exact_set):
        dups = [
            obj for obj in exact_set
            if exact_collection_lower.count(lower_if_hasattr(obj)) > 1
        ]
        logging.warning("Removing {} duplicates within this collection".format(
            summarise_list(dups)))
    # the encoded json measures transmission size, not RAM size
    logging.info("Exact match prepared {} items ({})".format(
        len(exact_set), format_bytes(len(json_serialise(list(exact_set))))))

    # Check that each item actually matches the list
    if validate:
        for item in exact_collection:
            exact_match_validate_item(exact_set, item, exact_collection)

    if existing_exacts is None:
        return exact_set
    else:
        # Remove any items that appear in earlier lists
        disjoint_exact_set = exact_set.difference(*existing_exacts)
        duplicate_exact_set = exact_set.difference(disjoint_exact_set)
        if len(duplicate_exact_set) > 0:
            logging.warning(
                "Removing {} duplicates that are also in an earlier collection"
                .format(summarise_list(duplicate_exact_set)))
        existing_exacts.append(disjoint_exact_set)
        return disjoint_exact_set
예제 #3
0
def ipasn_prefix_match_prepare_string(ipasn_string):
    '''
    Prepare ipasn data for efficient IP prefix matching.
    ipasn_string is a string containing a newline-separated list of IP prefix
    to AS mappings.

    Returns an object that can be passed to ipasn_prefix_match().
    This object must be treated as opaque and read-only.
    '''
    assert ipasn_string is not None
    obj = pyasn.pyasn(None, ipasn_string=ipasn_string)
    # we want to measure transmission size, not RAM size
    # we don't transmit obj, because it's opaque C
    # instead, we assume that the json-serialised string will be about the
    # same size as the actual string
    logging.info("IP-ASN match prepared {} items ({})".format(
        len(ipasn_string.splitlines()), format_bytes(len(ipasn_string))))
    return obj
예제 #4
0
def suffix_match_prepare_collection(suffix_collection,
                                    separator="",
                                    existing_suffixes=None,
                                    collection_tag=-1,
                                    validate=True):
    '''
    Prepare a collection of strings for efficient suffix matching.
    If specified, the separator is also required before the suffix.
    For example, domain suffixes use "." as a separator between components.

    existing_suffixes is a previously prepared suffix data structure.

    If existing_suffixes is not None, add the new suffixes to
    existing_suffixes, and return existing_suffixes. Each suffix is terminated
    with collection_tag, which can be used to distinguish between suffixes
    from different lists. collection_tag must be a non-dict type that is not
    None.

    If multiple lists are prepared using the same existing_suffixes, then the
    final suffix data structure is disjoint. Any duplicate or longer
    suffixes are eliminated, and a warning is logged. (A suffix that appears
    in multiple input lists is output in the earliest list it appears in.
    A shorter suffix in a later list replaces any longer suffixes in earlier
    lists.)

    If validate is True, checks that suffix_match() returns True for each
    item in suffix_collection.

    Returns a tuple containing an object that can be passed to suffix_match(),
    and a boolean that is True if any duplicate domains were found.
    The object must be treated as opaque and read-only.
    '''
    assert suffix_collection is not None
    assert is_collection_tag_valid(collection_tag)
    #assert type(existing_suffixes) == dict
    # Create a tree of suffix components using nested python dicts
    # the terminal object is an empty dict
    if existing_suffixes is None:
        suffix_obj = {}
    else:
        suffix_obj = existing_suffixes
    longer_suffix_list = []
    duplicates = False
    for insert_string in suffix_collection:
        #assert type(suffix_obj) == dict
        insert_list = suffix_match_split(insert_string, separator=separator)
        prev_suffix_node = None
        suffix_node = suffix_obj
        # did we terminate the loop early due to a longer suffix?
        has_longer_suffix = False
        for insert_component in insert_list:
            # since we have stripped periods from the start and end, a double
            # dot is almost certainly a typo
            assert len(insert_component) > 0

            # we are allowed to add any child to the root
            # but we cannot add a child to an existing terminal object
            # because the existing tree contains a shorter suffix of
            # the string we are inserting
            #assert type(suffix_node) == dict
            next_suffix_node = suffix_node.get(insert_component)
            if (is_collection_tag_valid(next_suffix_node)):
                # there is an existing suffix that terminates here, and we are
                # about to insert a longer suffix. Instead, ignore the longer
                # suffix
                has_longer_suffix = True
                longer_suffix_list.append(insert_string)
                break

            # walk the tree, adding an entry for this suffix
            prev_suffix_node = suffix_node
            suffix_node = (next_suffix_node if next_suffix_node is not None
                           else suffix_node.setdefault(insert_component, {}))

        # we cannot have children in our terminal object
        # because the existing tree contains longer strings, and we are
        # a shorter suffix of all those existing strings
        if (not has_longer_suffix and not is_collection_tag_valid(suffix_node)
                and len(suffix_node) > 0):
            duplicates = True
            child_summary = summarise_list(suffix_node.keys())
            child_all = " ".join(suffix_node.keys())
            logging.warning(
                "Adding shorter suffix {} for collection {}, pruning existing children {}"
                .format(insert_string, collection_tag, child_summary))
            logging.debug(
                "Adding shorter suffix {} for collection {}, pruning existing children {}"
                .format(insert_string, collection_tag, child_all))

        # now, place (or replace) the end of the domain with the collection tag
        if not has_longer_suffix:
            #assert prev_suffix_node is not None
            prev_suffix_node[insert_component] = collection_tag

        # Now check that each item actually matches one of the lists
        # Allow the lists to have overlaps, we'll check that later
        if validate:
            suffix_match_validate_item(suffix_obj,
                                       insert_string,
                                       suffix_collection,
                                       separator=separator,
                                       expected_collection_tag=collection_tag,
                                       reject_overlapping_lists=False)

    if len(longer_suffix_list) > 0:
        duplicates = True
        suffix_summary = summarise_list(longer_suffix_list)
        suffix_all = " ".join(longer_suffix_list)
        logging.warning(
            "Suffix match for {} ignored longer suffixes {}".format(
                collection_tag, suffix_summary))
        logging.debug("Suffix match for {} ignored longer suffixes {}".format(
            collection_tag, suffix_all))

    # the encoded json measures transmission size, not RAM size
    logging.info("Suffix match {} prepared {} items ({})".format(
        collection_tag, len(suffix_collection),
        format_bytes(len(json_serialise(suffix_obj)))))

    return (suffix_obj, duplicates)
예제 #5
0
def exact_match_prepare_collection(exact_collection,
                                   existing_exacts=None,
                                   validate=True,
                                   match_onion_md5=False):
    '''
    Prepare a hashable object collection for efficient exact matching.
    If the objects in the collection are strings, lowercases them.

    existing_exacts is a list of previously prepared collections.

    If existing_exacts is not None, append the new collection to
    existing_exacts, as well as returning the prepared collection.

    If multiple lists are prepared using the same existing_exacts, then
    the final lists are disjoint. Any duplicate items are ignored, and a
    warning is logged. (An item that appears in multiple input lists is
    output in the earliest list it appears in.)

    If validate is True, checks that exact_match() returns True for each
    item in exact_collection.

    If match_onion_md5 is True, also try to validate matches for:
        hashlib.md5(item + '.onion').hexdigest()
    If item is a string, it is lowercased before hashing.

    Returns an object that can be passed to exact_match().
    This object must be treated as opaque and read-only.
    '''
    assert exact_collection is not None
    onion_match = " (and onion md5)" if match_onion_md5 else ""
    # Set matching uses a hash table, so it's more efficient
    exact_collection_lower = [
        lower_if_hasattr(obj) for obj in exact_collection
    ]
    exact_set = frozenset(exact_collection_lower)
    # Log a message if there were any duplicates
    # Finding each duplicate takes a lot longer
    if len(exact_collection) != len(exact_set):
        dups = [
            obj for obj in exact_set
            if exact_collection_lower.count(lower_if_hasattr(obj)) > 1
        ]
        logging.warning(
            "Removing {} duplicates{} within this collection".format(
                summarise_list(dups), onion_match))
    # the encoded json measures transmission size, not RAM size
    logging.info("Exact match prepared {}{} items ({})".format(
        len(exact_set), onion_match,
        format_bytes(len(json_serialise(list(exact_set))))))

    # Check that each item actually matches the list
    if validate:
        for item in exact_collection:
            exact_match_validate_item(exact_set,
                                      item,
                                      exact_collection,
                                      match_onion_md5=match_onion_md5)

    if existing_exacts is None:
        return exact_set
    else:
        # Remove any items that appear in earlier lists
        #
        # If an onion address is in a different format in an earlier list,
        # this code won't remove it.
        #
        # Depending on the exact configuration:
        # - the tally server will fail to validate the lists, or
        # - the data collectors will count events for the duplicate onion
        #   address against the first list that contains the address
        #   (in any format).
        disjoint_exact_set = exact_set.difference(*existing_exacts)
        duplicate_exact_set = exact_set.difference(disjoint_exact_set)
        if len(duplicate_exact_set) > 0:
            logging.warning(
                "Removing {} duplicates{} that are also in an earlier collection"
                .format(summarise_list(duplicate_exact_set), onion_match))
        existing_exacts.append(disjoint_exact_set)
        return disjoint_exact_set