From 325000ca2bd72edd802122a3d25988183622a69f Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 15 Mar 2023 22:16:40 +0100 Subject: [PATCH] detect/analyzer: add byte_test/byte_jump detail --- src/detect-engine-analyzer.c | 86 ++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index aa2a161021..2488dcc958 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -35,6 +35,8 @@ #include "conf.h" #include "detect-content.h" #include "detect-pcre.h" +#include "detect-bytejump.h" +#include "detect-bytetest.h" #include "detect-flow.h" #include "detect-tcp-flags.h" #include "feature.h" @@ -691,6 +693,90 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData * jb_open_object(js, "pcre"); DumpPcre(js, cd); jb_close(js); + if (cd->flags & DETECT_PCRE_RAWBYTES) { + AnalyzerNote(ctx, + (char *)"'/B' (rawbytes) option is a no-op and is silently ignored"); + } + break; + } + case DETECT_BYTEJUMP: { + const DetectBytejumpData *cd = (const DetectBytejumpData *)smd->ctx; + + jb_open_object(js, "byte_jump"); + jb_set_uint(js, "nbytes", cd->nbytes); + jb_set_uint(js, "offset", cd->offset); + jb_set_uint(js, "multiplier", cd->multiplier); + jb_set_uint(js, "post_offset", cd->post_offset); + switch (cd->base) { + case DETECT_BYTEJUMP_BASE_UNSET: + jb_set_string(js, "base", "unset"); + break; + case DETECT_BYTEJUMP_BASE_OCT: + jb_set_string(js, "base", "oct"); + break; + case DETECT_BYTEJUMP_BASE_DEC: + jb_set_string(js, "base", "dec"); + break; + case DETECT_BYTEJUMP_BASE_HEX: + jb_set_string(js, "base", "hex"); + break; + } + jb_open_array(js, "flags"); + if (cd->flags & DETECT_BYTEJUMP_BEGIN) + jb_append_string(js, "from_beginning"); + if (cd->flags & DETECT_BYTEJUMP_LITTLE) + jb_append_string(js, "little_endian"); + if (cd->flags & DETECT_BYTEJUMP_BIG) + jb_append_string(js, "big_endian"); + if (cd->flags & DETECT_BYTEJUMP_STRING) + jb_append_string(js, "string"); + if (cd->flags & DETECT_BYTEJUMP_RELATIVE) + jb_append_string(js, "relative"); + if (cd->flags & DETECT_BYTEJUMP_ALIGN) + jb_append_string(js, "align"); + if (cd->flags & DETECT_BYTEJUMP_DCE) + jb_append_string(js, "dce"); + if (cd->flags & DETECT_BYTEJUMP_OFFSET_BE) + jb_append_string(js, "offset_be"); + if (cd->flags & DETECT_BYTEJUMP_END) + jb_append_string(js, "from_end"); + jb_close(js); + jb_close(js); + break; + } + case DETECT_BYTETEST: { + const DetectBytetestData *cd = (const DetectBytetestData *)smd->ctx; + + jb_open_object(js, "byte_test"); + jb_set_uint(js, "nbytes", cd->nbytes); + jb_set_uint(js, "offset", cd->offset); + switch (cd->base) { + case DETECT_BYTETEST_BASE_UNSET: + jb_set_string(js, "base", "unset"); + break; + case DETECT_BYTETEST_BASE_OCT: + jb_set_string(js, "base", "oct"); + break; + case DETECT_BYTETEST_BASE_DEC: + jb_set_string(js, "base", "dec"); + break; + case DETECT_BYTETEST_BASE_HEX: + jb_set_string(js, "base", "hex"); + break; + } + jb_open_array(js, "flags"); + if (cd->flags & DETECT_BYTETEST_LITTLE) + jb_append_string(js, "little_endian"); + if (cd->flags & DETECT_BYTETEST_BIG) + jb_append_string(js, "big_endian"); + if (cd->flags & DETECT_BYTETEST_STRING) + jb_append_string(js, "string"); + if (cd->flags & DETECT_BYTETEST_RELATIVE) + jb_append_string(js, "relative"); + if (cd->flags & DETECT_BYTETEST_DCE) + jb_append_string(js, "dce"); + jb_close(js); + jb_close(js); break; } }