From: Victor Julien Date: Wed, 24 May 2023 13:28:49 +0000 (+0200) Subject: detect/analyzer: add the type X-Git-Tag: suricata-7.0.0-rc2~120 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6d3b461a661d039384c4118461909382c0cf7ac;p=thirdparty%2Fsuricata.git detect/analyzer: add the type Per rule type record properties of the type. Example output: { "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)", "id": 1001, "gid": 1, "rev": 0, "msg": "UDP with flow direction", "app_proto": "unknown", "requirements": [], "type": "pkt", "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "toserver" ], "pkt_engines": [], "frame_engines": [], "lists": {} } Ticket: #6085. --- diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 2d78411bc7..2fc91cf9cf 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -841,6 +841,42 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) } jb_close(ctx.js); + switch (s->type) { + case SIG_TYPE_NOT_SET: + jb_set_string(ctx.js, "type", "unset"); + break; + case SIG_TYPE_IPONLY: + jb_set_string(ctx.js, "type", "ip_only"); + break; + case SIG_TYPE_LIKE_IPONLY: + jb_set_string(ctx.js, "type", "like_ip_only"); + break; + case SIG_TYPE_PDONLY: + jb_set_string(ctx.js, "type", "pd_only"); + break; + case SIG_TYPE_DEONLY: + jb_set_string(ctx.js, "type", "de_only"); + break; + case SIG_TYPE_PKT: + jb_set_string(ctx.js, "type", "pkt"); + break; + case SIG_TYPE_PKT_STREAM: + jb_set_string(ctx.js, "type", "pkt_stream"); + break; + case SIG_TYPE_STREAM: + jb_set_string(ctx.js, "type", "stream"); + break; + case SIG_TYPE_APPLAYER: + jb_set_string(ctx.js, "type", "app_layer"); + break; + case SIG_TYPE_APP_TX: + jb_set_string(ctx.js, "type", "app_tx"); + break; + case SIG_TYPE_MAX: + jb_set_string(ctx.js, "type", "error"); + break; + } + jb_open_array(ctx.js, "flags"); if (s->flags & SIG_FLAG_SRC_ANY) { jb_append_string(ctx.js, "src_any");