From: Hadiqa Alamdar Bukhari Date: Wed, 13 Dec 2023 11:15:50 +0000 (+0500) Subject: detect/analyzer: add details to flowbits keyword X-Git-Tag: suricata-8.0.0-beta1~1932 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=774f05d83d3fb39d8a60a147cb259614a2477854;p=thirdparty%2Fsuricata.git detect/analyzer: add details to flowbits keyword Task #6309 --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index a37afabb0f..0eda31b2fc 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -45,6 +45,8 @@ #include "util-time.h" #include "util-validate.h" #include "util-conf.h" +#include "detect-flowbits.h" +#include "util-var-name.h" static int rule_warnings_only = 0; @@ -861,6 +863,46 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData * jb_close(js); break; } + case DETECT_FLOWBITS: { + const DetectFlowbitsData *cd = (const DetectFlowbitsData *)smd->ctx; + + jb_open_object(js, "flowbits"); + switch (cd->cmd) { + case DETECT_FLOWBITS_CMD_ISSET: + jb_set_string(js, "cmd", "isset"); + break; + case DETECT_FLOWBITS_CMD_ISNOTSET: + jb_set_string(js, "cmd", "isnotset"); + break; + case DETECT_FLOWBITS_CMD_SET: + jb_set_string(js, "cmd", "set"); + break; + case DETECT_FLOWBITS_CMD_UNSET: + jb_set_string(js, "cmd", "unset"); + break; + case DETECT_FLOWBITS_CMD_TOGGLE: + jb_set_string(js, "cmd", "toggle"); + break; + } + bool is_or = false; + jb_open_array(js, "names"); + if (cd->or_list_size == 0) { + jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT)); + } else if (cd->or_list_size > 0) { + is_or = true; + for (uint8_t i = 0; i < cd->or_list_size; i++) { + const char *varname = + VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT); + jb_append_string(js, varname); + } + } + jb_close(js); // array + if (is_or) { + jb_set_string(js, "operator", "or"); + } + jb_close(js); // object + break; + } } jb_close(js);