detect-flowbits: add details for flowbits v7 #10018
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -45,6 +45,8 @@ | |
| #include "util-time.h" | ||
| #include "util-validate.h" | ||
| #include "util-conf.h" | ||
| #include "detect-flowbits.h" | ||
| #include "util-var-name.h" | ||
|
|
||
| static int rule_warnings_only = 0; | ||
|
|
||
|
|
@@ -861,6 +863,51 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData * | |
| jb_close(js); | ||
| break; | ||
| } | ||
| case DETECT_FLOWBITS: { | ||
| const DetectFlowbitsData *cd = (const DetectFlowbitsData *)smd->ctx; | ||
|
|
||
| jb_open_object(js, "flowbits"); | ||
| switch (cd->cmd) { | ||
| case DETECT_FLOWBITS_CMD_NOALERT: | ||
| jb_set_string(js, "action", "noalert"); | ||
| break; | ||
| case DETECT_FLOWBITS_CMD_ISSET: | ||
| jb_set_string(js, "cmd", "isset"); | ||
| break; | ||
| case DETECT_FLOWBITS_CMD_ISNOTSET: | ||
| jb_set_string(js, "cmd", "isnotset"); | ||
| break; | ||
| case DETECT_FLOWBITS_CMD_SET: | ||
| jb_set_string(js, "cmd", "set"); | ||
| break; | ||
| case DETECT_FLOWBITS_CMD_UNSET: | ||
| jb_set_string(js, "cmd", "unset"); | ||
| break; | ||
| case DETECT_FLOWBITS_CMD_TOGGLE: | ||
| jb_set_string(js, "cmd", "toggle"); | ||
| break; | ||
| } | ||
| int flag = 0; | ||
|
There was a problem hiding this comment. As it's being used as a bool, let's declare it as such ;) |
||
| if (cd->cmd != DETECT_FLOWBITS_CMD_NOALERT) { | ||
|
There was a problem hiding this comment. And now wondering if we need this There was a problem hiding this comment. I don't think we do. I think we should also remove this constant though bc it gives me an impression that this is a valid flowbit specific command and while it is used w flowbits, it is never really used to set There was a problem hiding this comment. wrt I have made #10021 |
||
| jb_open_array(js, "names"); | ||
| if (cd->or_list_size == 0) { | ||
| jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT)); | ||
| } else if (cd->or_list_size > 0) { | ||
| flag = 1; | ||
| for (uint8_t i = 0; i < cd->or_list_size; i++) { | ||
| const char *varname = | ||
| VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT); | ||
| jb_append_string(js, varname); | ||
| } | ||
| } | ||
| jb_close(js); // array | ||
| if (flag == 1) { | ||
| jb_set_string(js, "operator", "or"); | ||
| } | ||
| } | ||
|
Comment on lines
+904
to
+907
There was a problem hiding this comment. I saw that this is working! :) Do you think we can move on to thinking about the There was a problem hiding this comment. Indeed. We don't define it as a specific operator anyway like we do for or. It's only fair. 😛 |
||
| jb_close(js); // object | ||
| break; | ||
| } | ||
| } | ||
| jb_close(js); | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now, we know from our discussions elsewhere that we can't ever have this one here, so we can probably skip the jb call, maybe just add a comment that
noalertdoesn't lead to callingDumpMatches? 🤔