detect/analyzer: add the type

Per rule type record properties of the type. Example output: { "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)", "id": 1001, "gid": 1, "rev": 0, "msg": "UDP with flow direction", "app_proto": "unknown", "requirements": [], "type": "pkt", "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "toserver" ], "pkt_engines": [], "frame_engines": [], "lists": {} } Ticket: #6085.
3 years ago · c6d3b461a6
parent 2696fda041
commit c6d3b461a6
1 changed files with 36 additions and 0 deletions
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -841,6 +841,42 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
    }
    jb_close(ctx.js);

+    switch (s->type) {
+        case SIG_TYPE_NOT_SET:
+            jb_set_string(ctx.js, "type", "unset");
+            break;
+        case SIG_TYPE_IPONLY:
+            jb_set_string(ctx.js, "type", "ip_only");
+            break;
+        case SIG_TYPE_LIKE_IPONLY:
+            jb_set_string(ctx.js, "type", "like_ip_only");
+            break;
+        case SIG_TYPE_PDONLY:
+            jb_set_string(ctx.js, "type", "pd_only");
+            break;
+        case SIG_TYPE_DEONLY:
+            jb_set_string(ctx.js, "type", "de_only");
+            break;
+        case SIG_TYPE_PKT:
+            jb_set_string(ctx.js, "type", "pkt");
+            break;
+        case SIG_TYPE_PKT_STREAM:
+            jb_set_string(ctx.js, "type", "pkt_stream");
+            break;
+        case SIG_TYPE_STREAM:
+            jb_set_string(ctx.js, "type", "stream");
+            break;
+        case SIG_TYPE_APPLAYER:
+            jb_set_string(ctx.js, "type", "app_layer");
+            break;
+        case SIG_TYPE_APP_TX:
+            jb_set_string(ctx.js, "type", "app_tx");
+            break;
+        case SIG_TYPE_MAX:
+            jb_set_string(ctx.js, "type", "error");
+            break;
+    }
+
    jb_open_array(ctx.js, "flags");
    if (s->flags & SIG_FLAG_SRC_ANY) {
        jb_append_string(ctx.js, "src_any");