aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/analyzer: add more details for ipopts

Browse Source 
In addition to the ipopts keyword name, also log the ip option that was
matched on.

Task #6348
pull/9539/head
Juliana Fajardini 3 years ago committed by Victor Julien
parent bb15a8f766
commit 3ecb923db1
3 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-engine-analyzer.c
Unescape Escape View File

@ -39,6 +39,7 @@
#include "detect-bytetest.h"
#include "detect-flow.h"
#include "detect-tcp-flags.h"
#include "detect-ipopts.h"
#include "feature.h"
#include "util-print.h"
#include "util-time.h"
@ -851,6 +852,15 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
jb_close(js);
break;
}
case DETECT_IPOPTS: {
const DetectIpOptsData *cd = (const DetectIpOptsData *)smd->ctx;
jb_open_object(js, "ipopts");
const char *flag = IpOptsFlagToString(cd->ipopt);
jb_set_string(js, "option", flag);
jb_close(js);
break;
}
}
jb_close(js);

33
src/detect-ipopts.c
Unescape Escape View File

@ -119,6 +119,39 @@ struct DetectIpOpts_ {
{ NULL, 0 },
};
/**
* \brief Return human readable value for ipopts flag
*
* \param flag uint16_t DetectIpOptsData ipopts flag value
*/
const char *IpOptsFlagToString(uint16_t flag)
{
switch (flag) {
case IPV4_OPT_FLAG_RR:
return "rr";
case IPV4_OPT_FLAG_LSRR:
return "lsrr";
case IPV4_OPT_FLAG_EOL:
return "eol";
case IPV4_OPT_FLAG_NOP:
return "nop";
case IPV4_OPT_FLAG_TS:
return "ts";
case IPV4_OPT_FLAG_SEC:
return "sec";
case IPV4_OPT_FLAG_ESEC:
return "esec";
case IPV4_OPT_FLAG_SSRR:
return "ssrr";
case IPV4_OPT_FLAG_SID:
return "satid";
case 0xffff:
return "any";
default:
return NULL;
}
}
/**
* \internal
* \brief This function is used to match ip option on a packet with those passed via ipopts:

2
src/detect-ipopts.h
Unescape Escape View File

@ -45,5 +45,7 @@ typedef struct DetectIpOptsData_ {
void DetectIpOptsRegister (void);
const char *IpOptsFlagToString(uint16_t flag);
#endif /*__DETECT_IPOPTS_H__ */

Write Preview
Loading…
Cancel
Save