Skip to content

Commit

Permalink
detect/analyzer: add details to flowbits keyword
Browse files Browse the repository at this point in the history 
Task OISF#6309
  • Loading branch information
@hadiqaalamdar
hadiqaalamdar committed Dec 11, 2023
1 parent 9a24326 commit e7b1810
Showing 1 changed file with 15 additions and 19 deletions.
34 changes: 15 additions & 19 deletions src/detect-engine-analyzer.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -868,9 +868,7 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *

jb_open_object(js, "flowbits");
switch (cd->cmd) {
case DETECT_FLOWBITS_CMD_NOALERT:
jb_set_string(js, "action", "noalert");
break;
/* noalert has been removed and never gets to DumpMatches */
case DETECT_FLOWBITS_CMD_ISSET:
jb_set_string(js, "cmd", "isset");
break;
Expand All @@ -887,24 +885,22 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
jb_set_string(js, "cmd", "toggle");
break;
}
int flag = 0;
if (cd->cmd != DETECT_FLOWBITS_CMD_NOALERT) {
jb_open_array(js, "names");
if (cd->or_list_size == 0) {
jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT));
} else if (cd->or_list_size > 0) {
flag = 1;
for (uint8_t i = 0; i < cd->or_list_size; i++) {
const char *varname =
VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT);
jb_append_string(js, varname);
}
}
jb_close(js); // array
if (flag == 1) {
jb_set_string(js, "operator", "or");
bool is_or = false;
jb_open_array(js, "names");
if (cd->or_list_size == 0) {
jb_append_string(js, VarNameStoreSetupLookup(cd->idx, VAR_TYPE_FLOW_BIT));
} else if (cd->or_list_size > 0) {
is_or = true;
for (uint8_t i = 0; i < cd->or_list_size; i++) {
const char *varname =
VarNameStoreSetupLookup(cd->or_list[i], VAR_TYPE_FLOW_BIT);
jb_append_string(js, varname);
}
}
jb_close(js); // array
if (is_or == true) {
jb_set_string(js, "operator", "or");
}
jb_close(js); // object
break;
}
Expand Down

0 comments on commit e7b1810

Please sign in to comment.