Attempt to fix parsing of rule action blocks. Previously I did not take into account that there could be more than one action block in a response.

This should fix that by checking the NoOfActions value and parsing out any action blocks associated with it.

TODO: look into extended rules. these will still cause issues. need to find a away to identify that extended rules are returned

Author: Etienne Stalmans

mapi/datastructs.go

@@ -1899,16 +1899,24 @@ func (queryRows *RopQueryRowsResponse) Unmarshal(resp []byte, properties []Prope
 				//Unmarshal the ruleaction and then add it into the ValueArray again. messy
 				//or grab the action len, which is the second uint16 and use this to determine how much to read
 				//read ahead to get the length
-				_, pos = utils.ReadUint16(pos, resp)
+				noofActions := uint16(0)
+				noofActions, pos = utils.ReadUint16(pos, resp) //NoOfActions - this is 2bytes for normal rules, 4 for extended
+				utils.Info.Println("NoOfActttions: ", noofActions)
 				//read length but don't advance the buffer
-				l, _ := utils.ReadUint16(pos, resp)
-				//read the whole RuleAction into the valueArray, this means
-				pos -= 2 //reset the position
-				if pos+int(l+4) > len(resp) {
-					break
-				} else {
-					trow.ValueArray, pos = utils.ReadBytes(pos, int(l+4), resp)
+				trow.ValueArray = []byte{}
+				for x := 0; x < int(noofActions); x++ {
+					l, _ := utils.ReadUint16(pos, resp) //length is part of the RuleAction in an ActionBlock
+					//read the whole RuleAction into the valueArray, this means
+					pos -= 2 //reset the position
+					if pos+int(l+4) > len(resp) {
+						break
+					} else {
+						tk := []byte{}
+						tk, pos = utils.ReadBytes(pos, int(l+4), resp)
+						trow.ValueArray = append(trow.ValueArray, tk...)
+					}
 				}
+				//if NoOfActions > 1 read the rest of the actions
 				rows[k] = append(rows[k], trow)
 			}
 		}

ruler.go

@@ -512,10 +512,10 @@ func connect(c *cli.Context) error {
 
 func printRules() error {
 	//rules, er := mapi.DisplayRules()
-	cols := make([]mapi.PropertyTag, 2)
+	cols := make([]mapi.PropertyTag, 3)
 	cols[0] = mapi.PidTagRuleName
 	cols[1] = mapi.PidTagRuleID
-	//cols[2] = mapi.PidTagRuleActions
+	cols[2] = mapi.PidTagRuleActions
 
 	rows, er := mapi.FetchRules(cols)
 
@@ -533,30 +533,31 @@ func printRules() error {
 			}
 		}
 		maxwidth -= 10
-		fmstr1 := fmt.Sprintf("%%-%ds | %%-16s \n", maxwidth)
-		fmstr2 := fmt.Sprintf("%%-%ds | %%x \n", maxwidth)
-		utils.Info.Printf(fmstr1, "Rule Name", "Rule ID")
-		utils.Info.Printf("%s|%s\n", (strings.Repeat("-", maxwidth+1)), strings.Repeat("-", 18))
+		fmstr1 := fmt.Sprintf("%%-%ds | %%-16s | %%-s \n", maxwidth)
+		fmstr2 := fmt.Sprintf("%%-%ds | %%x | %%s\n", maxwidth)
+		utils.Info.Printf(fmstr1, "Rule Name", "Rule ID", "Run Application")
+		utils.Info.Printf("%s|%s|%s\n", (strings.Repeat("-", maxwidth+1)), strings.Repeat("-", 18), strings.Repeat("-", 18))
 		for k := 0; k < int(rows.RowCount); k++ {
 			clientSide := false
 			clientApp := ""
-			/*
-				rd := mapi.RuleAction{}
-				rd.Unmarshal(rows.RowData[k][2].ValueArray)
-				if rd.ActionType == 0x05 {
-					for _, a := range rd.ActionData.Conditions {
-						if a.Tag[1] == 0x49 {
-							clientSide = true
-							clientApp = string(utils.FromUnicode(a.Value))
-							break
-						}
+
+			rd := mapi.RuleAction{}
+			rd.Unmarshal(rows.RowData[k][2].ValueArray)
+			if rd.ActionType == 0x05 {
+				for _, a := range rd.ActionData.Conditions {
+					if a.Tag[1] == 0x49 {
+						clientSide = true
+						clientApp = string(utils.FromUnicode(a.Value))
+						break
 					}
 				}
-			*/
+
+			}
+
 			if clientSide == true {
 				utils.Info.Printf(fmstr2, string(utils.FromUnicode(rows.RowData[k][0].ValueArray)), rows.RowData[k][1].ValueArray, fmt.Sprintf("* %s", clientApp))
 			} else {
-				utils.Info.Printf(fmstr2, string(utils.FromUnicode(rows.RowData[k][0].ValueArray)), rows.RowData[k][1].ValueArray)
+				utils.Info.Printf(fmstr2, string(utils.FromUnicode(rows.RowData[k][0].ValueArray)), rows.RowData[k][1].ValueArray, "")
 			}
 		}
 		utils.Info.Println()