From c6d3b461a661d039384c4118461909382c0cf7ac Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 24 May 2023 15:28:49 +0200 Subject: [PATCH] detect/analyzer: add the type Per rule type record properties of the type. Example output: { "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)", "id": 1001, "gid": 1, "rev": 0, "msg": "UDP with flow direction", "app_proto": "unknown", "requirements": [], "type": "pkt", "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "toserver" ], "pkt_engines": [], "frame_engines": [], "lists": {} } Ticket: #6085. --- src/detect-engine-analyzer.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 2d78411bc7..2fc91cf9cf 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -841,6 +841,42 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s) } jb_close(ctx.js); + switch (s->type) { + case SIG_TYPE_NOT_SET: + jb_set_string(ctx.js, "type", "unset"); + break; + case SIG_TYPE_IPONLY: + jb_set_string(ctx.js, "type", "ip_only"); + break; + case SIG_TYPE_LIKE_IPONLY: + jb_set_string(ctx.js, "type", "like_ip_only"); + break; + case SIG_TYPE_PDONLY: + jb_set_string(ctx.js, "type", "pd_only"); + break; + case SIG_TYPE_DEONLY: + jb_set_string(ctx.js, "type", "de_only"); + break; + case SIG_TYPE_PKT: + jb_set_string(ctx.js, "type", "pkt"); + break; + case SIG_TYPE_PKT_STREAM: + jb_set_string(ctx.js, "type", "pkt_stream"); + break; + case SIG_TYPE_STREAM: + jb_set_string(ctx.js, "type", "stream"); + break; + case SIG_TYPE_APPLAYER: + jb_set_string(ctx.js, "type", "app_layer"); + break; + case SIG_TYPE_APP_TX: + jb_set_string(ctx.js, "type", "app_tx"); + break; + case SIG_TYPE_MAX: + jb_set_string(ctx.js, "type", "error"); + break; + } + jb_open_array(ctx.js, "flags"); if (s->flags & SIG_FLAG_SRC_ANY) { jb_append_string(ctx.js, "src_any");