detect/analyzer: add more details for ipopts

author Juliana Fajardini <jufajardini@oisf.net>

Thu, 14 Sep 2023 14:44:19 +0000 (11:44 -0300)

committer Victor Julien <victor@inliniac.net>

Tue, 3 Oct 2023 07:29:28 +0000 (09:29 +0200)
author Juliana Fajardini <jufajardini@oisf.net>
Thu, 14 Sep 2023 14:44:19 +0000 (11:44 -0300)
committer Victor Julien <victor@inliniac.net>
Tue, 3 Oct 2023 07:29:28 +0000 (09:29 +0200)
diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c

index 1735ce35bb850749a9a5bcc5ed4bbe9a4dbce97d..a37afabb0f00086d44b29500a05a5702023cca83 100644 (file)
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -39,6 +39,7 @@
  #include "detect-bytetest.h"
  #include "detect-flow.h"
  #include "detect-tcp-flags.h"
+#include "detect-ipopts.h"
  #include "feature.h"
  #include "util-print.h"
  #include "util-time.h"
@@ -851,6 +852,15 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                  jb_close(js);
                  break;
              }
+            case DETECT_IPOPTS: {
+                const DetectIpOptsData *cd = (const DetectIpOptsData *)smd->ctx;
+
+                jb_open_object(js, "ipopts");
+                const char *flag = IpOptsFlagToString(cd->ipopt);
+                jb_set_string(js, "option", flag);
+                jb_close(js);
+                break;
+            }
          }
          jb_close(js);
  
diff --git a/src/detect-ipopts.c b/src/detect-ipopts.c

index 07e6b7eac9b24e0fae7d62f81c79981433d1023f..105751c388a45ac537f96e4b595a5fb1686bbef9 100644 (file)
--- a/src/detect-ipopts.c
+++ b/src/detect-ipopts.c
@@ -119,6 +119,39 @@ struct DetectIpOpts_ {
      { NULL, 0 },
  };
  
+/**
+ * \brief Return human readable value for ipopts flag
+ *
+ * \param flag uint16_t DetectIpOptsData ipopts flag value
+ */
+const char *IpOptsFlagToString(uint16_t flag)
+{
+    switch (flag) {
+        case IPV4_OPT_FLAG_RR:
+            return "rr";
+        case IPV4_OPT_FLAG_LSRR:
+            return "lsrr";
+        case IPV4_OPT_FLAG_EOL:
+            return "eol";
+        case IPV4_OPT_FLAG_NOP:
+            return "nop";
+        case IPV4_OPT_FLAG_TS:
+            return "ts";
+        case IPV4_OPT_FLAG_SEC:
+            return "sec";
+        case IPV4_OPT_FLAG_ESEC:
+            return "esec";
+        case IPV4_OPT_FLAG_SSRR:
+            return "ssrr";
+        case IPV4_OPT_FLAG_SID:
+            return "satid";
+        case 0xffff:
+            return "any";
+        default:
+            return NULL;
+    }
+}
+
  /**
   * \internal
   * \brief This function is used to match ip option on a packet with those passed via ipopts:
diff --git a/src/detect-ipopts.h b/src/detect-ipopts.h

index 4089ea5ad6552e88d92b07b68bfaa621332851b0..a4009252d0b5a9fc04745c9a816c4850ca8872f0 100644 (file)
--- a/src/detect-ipopts.h
+++ b/src/detect-ipopts.h
@@ -45,5 +45,7 @@ typedef struct DetectIpOptsData_ {
  
  void DetectIpOptsRegister (void);
  
+const char *IpOptsFlagToString(uint16_t flag);
+
  #endif /*__DETECT_IPOPTS_H__ */
author	Juliana Fajardini <jufajardini@oisf.net>
	Thu, 14 Sep 2023 14:44:19 +0000 (11:44 -0300)
committer	Victor Julien <victor@inliniac.net>
	Tue, 3 Oct 2023 07:29:28 +0000 (09:29 +0200)
src/detect-engine-analyzer.c		patch \| blob \| blame \| history
src/detect-ipopts.c		patch \| blob \| blame \| history
src/detect-ipopts.h		patch \| blob \| blame \| history