From: Victor Julien Date: Tue, 27 Nov 2018 09:49:37 +0000 (+0100) Subject: detect: add verbosity of --list-keywords X-Git-Tag: suricata-5.0.0-beta1~293 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33b81f7439d55077db797523a40d80728e46ba61;p=thirdparty%2Fsuricata.git detect: add verbosity of --list-keywords Add indicators of content modifier or sticky buffer, and also allow registering an alternative to a keyword. --- diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 926a8ba252..2c2fb5f6ec 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -247,7 +247,7 @@ static void PrintFeatureList(const SigTableElmt *e, char sep) { - const uint8_t flags = e->flags; + const uint16_t flags = e->flags; int prev = 0; if (flags & SIGMATCH_NOOPT) { @@ -266,6 +266,18 @@ static void PrintFeatureList(const SigTableElmt *e, char sep) printf("compatible with decoder event only rule"); prev = 1; } + if (flags & SIGMATCH_INFO_CONTENT_MODIFIER) { + if (prev == 1) + printf("%c", sep); + printf("content modifier"); + prev = 1; + } + if (flags & SIGMATCH_INFO_STICKY_BUFFER) { + if (prev == 1) + printf("%c", sep); + printf("sticky buffer"); + prev = 1; + } if (e->Transform) { if (prev == 1) printf("%c", sep); @@ -293,6 +305,9 @@ static void SigMultilinePrint(int i, const char *prefix) if (sigmatch_table[i].url) { printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url); } + if (sigmatch_table[i].alternative) { + printf("\n%sReplaced by: %s", prefix, sigmatch_table[sigmatch_table[i].alternative].name); + } printf("\n"); } diff --git a/src/detect.h b/src/detect.h index 0a59e86f55..6d436373c0 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1159,6 +1159,9 @@ typedef struct SigTableElmt_ { uint16_t flags; /* coccinelle: SigTableElmt:flags:SIGMATCH_ */ + /** better keyword to replace the current one */ + uint16_t alternative; + const char *name; /**< keyword name alias */ const char *alias; /**< name alias */ const char *desc; @@ -1327,27 +1330,31 @@ typedef struct SigGroupHead_ { } SigGroupHead; /** sigmatch has no options, so the parser shouldn't expect any */ -#define SIGMATCH_NOOPT BIT_U16(0) +#define SIGMATCH_NOOPT BIT_U16(0) /** sigmatch is compatible with a ip only rule */ -#define SIGMATCH_IPONLY_COMPAT BIT_U16(1) +#define SIGMATCH_IPONLY_COMPAT BIT_U16(1) /** sigmatch is compatible with a decode event only rule */ -#define SIGMATCH_DEONLY_COMPAT BIT_U16(2) +#define SIGMATCH_DEONLY_COMPAT BIT_U16(2) /**< Flag to indicate that the signature is not built-in */ -#define SIGMATCH_NOT_BUILT BIT_U16(3) +#define SIGMATCH_NOT_BUILT BIT_U16(3) /** sigmatch may have options, so the parser should be ready to * deal with both cases */ -#define SIGMATCH_OPTIONAL_OPT BIT_U16(4) +#define SIGMATCH_OPTIONAL_OPT BIT_U16(4) /** input may be wrapped in double quotes. They will be stripped before * input data is passed to keyword parser */ -#define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5) +#define SIGMATCH_QUOTES_OPTIONAL BIT_U16(5) /** input MUST be wrapped in double quotes. They will be stripped before * input data is passed to keyword parser. Missing double quotes lead to * error and signature invalidation. */ -#define SIGMATCH_QUOTES_MANDATORY BIT_U16(6) +#define SIGMATCH_QUOTES_MANDATORY BIT_U16(6) /** negation parsing is handled by the rule parser. Signature::init_data::negated * will be set to true or false prior to calling the keyword parser. Exclamation * mark is stripped from the input to the keyword parser. */ -#define SIGMATCH_HANDLE_NEGATION BIT_U16(7) +#define SIGMATCH_HANDLE_NEGATION BIT_U16(7) +/** keyword is a content modifier */ +#define SIGMATCH_INFO_CONTENT_MODIFIER BIT_U16(8) +/** keyword is a sticky buffer */ +#define SIGMATCH_INFO_STICKY_BUFFER BIT_U16(9) enum DetectEngineTenantSelectors {