detect: add verbosity of --list-keywords

Add indicators of content modifier or sticky buffer, and also
allow registering an alternative to a keyword.

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
index 926a8ba2529cfa2300e6392607752a2886c81d92..2c2fb5f6ecf1471fb72b9d71f18dfbf58234975e 100644 (file)
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@@ -247,7 +247,7 @@
 
 static void PrintFeatureList(const SigTableElmt *e, char sep)
 {
-    const uint8_t flags = e->flags;
+    const uint16_t flags = e->flags;
 
     int prev = 0;
     if (flags & SIGMATCH_NOOPT) {
@@ -266,6 +266,18 @@ static void PrintFeatureList(const SigTableElmt *e, char sep)
         printf("compatible with decoder event only rule");
         prev = 1;
     }
+    if (flags & SIGMATCH_INFO_CONTENT_MODIFIER) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("content modifier");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_INFO_STICKY_BUFFER) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("sticky buffer");
+        prev = 1;
+    }
     if (e->Transform) {
         if (prev == 1)
             printf("%c", sep);
@@ -293,6 +305,9 @@ static void SigMultilinePrint(int i, const char *prefix)
     if (sigmatch_table[i].url) {
         printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url);
     }
+    if (sigmatch_table[i].alternative) {
+        printf("\n%sReplaced by: %s", prefix, sigmatch_table[sigmatch_table[i].alternative].name);
+    }
     printf("\n");
 }
 

diff --git a/src/detect.h b/src/detect.h
index 0a59e86f559bdfa3f052aff76e020673deab3323..6d436373c053145cb4921c29423450087a22b48f 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1159,6 +1159,9 @@ typedef struct SigTableElmt_ {
     uint16_t flags;
     /* coccinelle: SigTableElmt:flags:SIGMATCH_ */
 
+    /** better keyword to replace the current one */
+    uint16_t alternative;
+
     const char *name;     /**< keyword name alias */
     const char *alias;    /**< name alias */
     const char *desc;
@@ -1327,27 +1330,31 @@ typedef struct SigGroupHead_ {
 } SigGroupHead;
 
 /** sigmatch has no options, so the parser shouldn't expect any */
-#define SIGMATCH_NOOPT              BIT_U16(0)
+#define SIGMATCH_NOOPT                  BIT_U16(0)
 /** sigmatch is compatible with a ip only rule */
-#define SIGMATCH_IPONLY_COMPAT      BIT_U16(1)
+#define SIGMATCH_IPONLY_COMPAT          BIT_U16(1)
 /** sigmatch is compatible with a decode event only rule */
-#define SIGMATCH_DEONLY_COMPAT      BIT_U16(2)
+#define SIGMATCH_DEONLY_COMPAT          BIT_U16(2)
 /**< Flag to indicate that the signature is not built-in */
-#define SIGMATCH_NOT_BUILT          BIT_U16(3)
+#define SIGMATCH_NOT_BUILT              BIT_U16(3)
 /** sigmatch may have options, so the parser should be ready to
  *  deal with both cases */
-#define SIGMATCH_OPTIONAL_OPT       BIT_U16(4)
+#define SIGMATCH_OPTIONAL_OPT           BIT_U16(4)
 /** input may be wrapped in double quotes. They will be stripped before
  *  input data is passed to keyword parser */
-#define SIGMATCH_QUOTES_OPTIONAL    BIT_U16(5)
+#define SIGMATCH_QUOTES_OPTIONAL        BIT_U16(5)
 /** input MUST be wrapped in double quotes. They will be stripped before
  *  input data is passed to keyword parser. Missing double quotes lead to
  *  error and signature invalidation. */
-#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
+#define SIGMATCH_QUOTES_MANDATORY       BIT_U16(6)
 /** negation parsing is handled by the rule parser. Signature::init_data::negated
  *  will be set to true or false prior to calling the keyword parser. Exclamation
  *  mark is stripped from the input to the keyword parser. */
-#define SIGMATCH_HANDLE_NEGATION    BIT_U16(7)
+#define SIGMATCH_HANDLE_NEGATION        BIT_U16(7)
+/** keyword is a content modifier */
+#define SIGMATCH_INFO_CONTENT_MODIFIER  BIT_U16(8)
+/** keyword is a sticky buffer */
+#define SIGMATCH_INFO_STICKY_BUFFER     BIT_U16(9)
 
 enum DetectEngineTenantSelectors
 {