|
|
|
|
@ -45,6 +45,8 @@
|
|
|
|
|
#include "util-time.h"
|
|
|
|
|
#include "util-validate.h"
|
|
|
|
|
#include "util-conf.h"
|
|
|
|
|
#include "detect-flowbits.h"
|
|
|
|
|
#include "util-var-name.h"
|
|
|
|
|
|
|
|
|
|
static int rule_warnings_only = 0;
|
|
|
|
|
|
|
|
|
|
@ -861,6 +863,46 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
|
|
|
|
|
jb_close(js);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case DETECT_FLOWBITS: {
|
|
|
|
|
const DetectFlowbitsData *cd = (const DetectFlowbitsData *)smd->ctx;
|
|
|
|
|
|
|
|
|
|
jb_open_object(js, "flowbits");
|
|
|
|
|
switch (cd->cmd) {
|
|
|
|
|
case DETECT_FLOWBITS_CMD_ISSET:
|
|
|
|
|
jb_set_string(js, "cmd", "isset");
|
|
|
|
|
break;
|
|
|
|
|
case DETECT_FLOWBITS_CMD_ISNOTSET:
|
|
|
|
|
jb_set_string(js, "cmd", "isnotset");
|
|
|
|
|
break;
|
|
|
|
|
case DETECT_FLOWBITS_CMD_SET:
|
|
|
|
|
jb_set_string(js, "cmd", "set");
|
|
|
|
|
break;
|
|
|
|
|
case DETECT_FLOWBITS_CMD_UNSET:
|
|
|
|
|
jb_set_string(js, "cmd", "unset");
|
|
|
|
|
break;
|
|
|
|
|
case DETECT_FLOWBITS_CMD_TOGGLE:
|
|
|
|
|
jb_set_string(js, "cmd", "toggle");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
bool is_or = false;
|
|
|
|
|
jb_open_array(js, "names");
|
|
|
|
|
if (cd->or_list_size == 0) {
|
|
|
|
|
jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT));
|
|
|
|
|
} else if (cd->or_list_size > 0) {
|
|
|
|
|
is_or = true;
|
|
|
|
|
for (uint8_t i = 0; i < cd->or_list_size; i++) {
|
|
|
|
|
const char *varname =
|
|
|
|
|
VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT);
|
|
|
|
|
jb_append_string(js, varname);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
jb_close(js); // array
|
|
|
|
|
if (is_or) {
|
|
|
|
|
jb_set_string(js, "operator", "or");
|
|
|
|
|
}
|
|
|
|
|
jb_close(js); // object
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
jb_close(js);
|
|
|
|
|
|
|
|
|
|
|
Hadiqa Alamdar Bukhari
1 year ago
committed by
Victor Julien