detect: add verbosity of --list-keywords

Add indicators of content modifier or sticky buffer, and also allow registering an alternative to a keyword.
7 years ago · 33b81f7439
parent d3e953e5f2
commit 33b81f7439
2 changed files with 31 additions and 9 deletions
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -247,7 +247,7 @@

 static void PrintFeatureList(const SigTableElmt *e, char sep)
 {
-    const uint8_t flags = e->flags;
+    const uint16_t flags = e->flags;

    int prev = 0;
    if (flags & SIGMATCH_NOOPT) {
@ -266,6 +266,18 @@ static void PrintFeatureList(const SigTableElmt *e, char sep)
        printf("compatible with decoder event only rule");
        prev = 1;
    }
+    if (flags & SIGMATCH_INFO_CONTENT_MODIFIER) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("content modifier");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_INFO_STICKY_BUFFER) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("sticky buffer");
+        prev = 1;
+    }
    if (e->Transform) {
        if (prev == 1)
            printf("%c", sep);
@ -293,6 +305,9 @@ static void SigMultilinePrint(int i, const char *prefix)
    if (sigmatch_table[i].url) {
        printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url);
    }
+    if (sigmatch_table[i].alternative) {
+        printf("\n%sReplaced by: %s", prefix, sigmatch_table[sigmatch_table[i].alternative].name);
+    }
    printf("\n");
 }

--- a/src/detect.h
+++ b/src/detect.h
@ -1159,6 +1159,9 @@ typedef struct SigTableElmt_ {
    uint16_t flags;
    /* coccinelle: SigTableElmt:flags:SIGMATCH_ */

+    /** better keyword to replace the current one */
+    uint16_t alternative;
+
    const char *name;     /**< keyword name alias */
    const char *alias;    /**< name alias */
    const char *desc;
@ -1327,27 +1330,31 @@ typedef struct SigGroupHead_ {
 } SigGroupHead;

 /** sigmatch has no options, so the parser shouldn't expect any */
-#define SIGMATCH_NOOPT              BIT_U16(0)
+#define SIGMATCH_NOOPT                  BIT_U16(0)
 /** sigmatch is compatible with a ip only rule */
-#define SIGMATCH_IPONLY_COMPAT      BIT_U16(1)
+#define SIGMATCH_IPONLY_COMPAT          BIT_U16(1)
 /** sigmatch is compatible with a decode event only rule */
-#define SIGMATCH_DEONLY_COMPAT      BIT_U16(2)
+#define SIGMATCH_DEONLY_COMPAT          BIT_U16(2)
 /**< Flag to indicate that the signature is not built-in */
-#define SIGMATCH_NOT_BUILT          BIT_U16(3)
+#define SIGMATCH_NOT_BUILT              BIT_U16(3)
 /** sigmatch may have options, so the parser should be ready to
 *  deal with both cases */
-#define SIGMATCH_OPTIONAL_OPT       BIT_U16(4)
+#define SIGMATCH_OPTIONAL_OPT           BIT_U16(4)
 /** input may be wrapped in double quotes. They will be stripped before
 *  input data is passed to keyword parser */
-#define SIGMATCH_QUOTES_OPTIONAL    BIT_U16(5)
+#define SIGMATCH_QUOTES_OPTIONAL        BIT_U16(5)
 /** input MUST be wrapped in double quotes. They will be stripped before
 *  input data is passed to keyword parser. Missing double quotes lead to
 *  error and signature invalidation. */
-#define SIGMATCH_QUOTES_MANDATORY   BIT_U16(6)
+#define SIGMATCH_QUOTES_MANDATORY       BIT_U16(6)
 /** negation parsing is handled by the rule parser. Signature::init_data::negated
 *  will be set to true or false prior to calling the keyword parser. Exclamation
 *  mark is stripped from the input to the keyword parser. */
-#define SIGMATCH_HANDLE_NEGATION    BIT_U16(7)
+#define SIGMATCH_HANDLE_NEGATION        BIT_U16(7)
+/** keyword is a content modifier */
+#define SIGMATCH_INFO_CONTENT_MODIFIER  BIT_U16(8)
+/** keyword is a sticky buffer */
+#define SIGMATCH_INFO_STICKY_BUFFER     BIT_U16(9)

 enum DetectEngineTenantSelectors
 {