From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 14 Sep 2023 14:44:19 +0000 (-0300)
Subject: detect/analyzer: add more details for ipopts
X-Git-Tag: suricata-7.0.2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ecb923db121d8d20da2405f6087db250f2b4028;p=thirdparty%2Fsuricata.git

detect/analyzer: add more details for ipopts

In addition to the ipopts keyword name, also log the ip option that was
matched on.

Task #6348
---

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 1735ce35bb..a37afabb0f 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -39,6 +39,7 @@
 #include "detect-bytetest.h"
 #include "detect-flow.h"
 #include "detect-tcp-flags.h"
+#include "detect-ipopts.h"
 #include "feature.h"
 #include "util-print.h"
 #include "util-time.h"
@@ -851,6 +852,15 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                 jb_close(js);
                 break;
             }
+            case DETECT_IPOPTS: {
+                const DetectIpOptsData *cd = (const DetectIpOptsData *)smd->ctx;
+
+                jb_open_object(js, "ipopts");
+                const char *flag = IpOptsFlagToString(cd->ipopt);
+                jb_set_string(js, "option", flag);
+                jb_close(js);
+                break;
+            }
         }
         jb_close(js);
 
diff --git a/src/detect-ipopts.c b/src/detect-ipopts.c
index 07e6b7eac9..105751c388 100644
--- a/src/detect-ipopts.c
+++ b/src/detect-ipopts.c
@@ -119,6 +119,39 @@ struct DetectIpOpts_ {
     { NULL, 0 },
 };
 
+/**
+ * \brief Return human readable value for ipopts flag
+ *
+ * \param flag uint16_t DetectIpOptsData ipopts flag value
+ */
+const char *IpOptsFlagToString(uint16_t flag)
+{
+    switch (flag) {
+        case IPV4_OPT_FLAG_RR:
+            return "rr";
+        case IPV4_OPT_FLAG_LSRR:
+            return "lsrr";
+        case IPV4_OPT_FLAG_EOL:
+            return "eol";
+        case IPV4_OPT_FLAG_NOP:
+            return "nop";
+        case IPV4_OPT_FLAG_TS:
+            return "ts";
+        case IPV4_OPT_FLAG_SEC:
+            return "sec";
+        case IPV4_OPT_FLAG_ESEC:
+            return "esec";
+        case IPV4_OPT_FLAG_SSRR:
+            return "ssrr";
+        case IPV4_OPT_FLAG_SID:
+            return "satid";
+        case 0xffff:
+            return "any";
+        default:
+            return NULL;
+    }
+}
+
 /**
  * \internal
  * \brief This function is used to match ip option on a packet with those passed via ipopts:
diff --git a/src/detect-ipopts.h b/src/detect-ipopts.h
index 4089ea5ad6..a4009252d0 100644
--- a/src/detect-ipopts.h
+++ b/src/detect-ipopts.h
@@ -45,5 +45,7 @@ typedef struct DetectIpOptsData_ {
 
 void DetectIpOptsRegister (void);
 
+const char *IpOptsFlagToString(uint16_t flag);
+
 #endif /*__DETECT_IPOPTS_H__ */