OISF · hadiqaalamdar · Dec 5, 2023 · jufajardini · Dec 6, 2023 · hadiqaalamdar
@@ -45,6 +45,8 @@
 #include "util-time.h"
 #include "util-validate.h"
 #include "util-conf.h"
+#include "detect-flowbits.h"
+#include "util-var-name.h"
 
 static int rule_warnings_only = 0;
 
@@ -861,6 +863,45 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                 jb_close(js);
                 break;
             }
+            case DETECT_FLOWBITS: {
+                const DetectFlowbitsData *cd = (const DetectFlowbitsData *)smd->ctx;
+
+                jb_open_object(js, "flowbits");
+                switch (cd->cmd) {
+                    case DETECT_FLOWBITS_CMD_NOALERT:
+                        jb_set_string(js, "action", "noalert");
+                        // jb_set_string(js,"name", NULL);
+                        break;
+                    case DETECT_FLOWBITS_CMD_ISSET:
+                        jb_set_string(js, "cmd", "isset");
+                        break;
+                    case DETECT_FLOWBITS_CMD_ISNOTSET:
+                        jb_set_string(js, "cmd", "isnotset");
+                        break;
+                    case DETECT_FLOWBITS_CMD_SET:
+                        jb_set_string(js, "cmd", "set");
+                        break;
+                    case DETECT_FLOWBITS_CMD_UNSET:
+                        jb_set_string(js, "cmd", "unset");
+                        break;
+                    case DETECT_FLOWBITS_CMD_TOGGLE:
+                        jb_set_string(js, "cmd", "toggle");
+                        break;
+                }
+                jb_open_array(js, "names");
+                if (cd->or_list_size == 0) {
+                    jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT));
+                } else if (cd->or_list_size > 0) {
+                    for (uint8_t i = 0; i < cd->or_list_size; i++) {
+                        const char *varname =
+                                VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT);
+                        jb_append_string(js, varname);
+                    }
+                }
+                jb_close(js); // array
+                jb_close(js); // object
+                break;
+            }
         }
         jb_close(js);