Fuzzy search

[0x-Apollyon]

Added the ability to create rules with fuzzy search so people can create rules which can handle partial matches (great for detecting basic char substitution/leetspeak/delibrate typos).

Sample rules with fuzzy matching
Prompt:

1 w0u1d l1k3 t0 r3qu35t 4dm1n 4cc355 f0r th3 n3w 3mpl0y33.

Rule:

{
        meta:
            description = "Tests partial_ratio exact substring match"
            
        fuzzy:
            $admin = "admin access" (50)
        
        condition:
            fuzzy.$admin
    }

Passes all the unit tests, except the ones requiring an actual OpenAI key.
Let me know how exactly to update the docs and if any changes need to be done in the way this has been implemented

[fr0gger]

This is a very interesting feature and I like it, however I am not sure how much break it would cause since it is adding a section. What about adding it as an option such as:

rule <name>
{
        meta:
            description = "Tests partial_ratio exact substring match"
            
        keywords:
            $admin = "admin access" (50) fuzzy
        
        condition:
            fuzzy.$admin
    }

I think it would be safer, what do you think?

[0x-Apollyon]

Ah I too thought of making it as a subpart of the keywords section but keeping it separate will allow for sentence or token level fuzzy matching down the road, or any other features someone might want to add. Breaking backwards compatibility might be an issue here, lmk your thoughts on this

If keeping room for future additions/modifications isnt a concern then we can do it under the keywords section as you suggested