suricata: update list-keyword command

This patch update the list-keyword command. Without any option, the previous behavior is conserved. If 'all' is used as option, suricata print a csv formatted output of keyword information: name;features;description If a keyword name is used as argument, suricata print a readable message: tls.subject Features: state inspecting Description: Match TLS/SSL certificate Subject field
13 years ago · 5e4552fdcd
parent 86709f5e9d
commit 5e4552fdcd
4 changed files with 82 additions and 11 deletions
--- a/src/detect-tls.c
+++ b/src/detect-tls.c
@ -93,6 +93,7 @@ static int DetectTlsStoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, u
 */
 void DetectTlsRegister (void) {
    sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
+    sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "Match TLS/SSL certificate Subject field";
    sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch;
    sigmatch_table[DETECT_AL_TLS_SUBJECT].alproto = ALPROTO_TLS;
@ -101,6 +102,7 @@ void DetectTlsRegister (void) {
    sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;

    sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
+    sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "Match TLS/SSL certificate IssuerDN field";
    sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch;
    sigmatch_table[DETECT_AL_TLS_ISSUERDN].alproto = ALPROTO_TLS;
@ -109,6 +111,7 @@ void DetectTlsRegister (void) {
    sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;

    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
+    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "Match TLS/SSL certificate SHA1 fingerprint";
    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch;
    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alproto = ALPROTO_TLS;
@ -117,6 +120,7 @@ void DetectTlsRegister (void) {
    sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL;

    sigmatch_table[DETECT_AL_TLS_STORE].name = "tls.store";
+    sigmatch_table[DETECT_AL_TLS_STORE].desc = "Store certificate on disk";
    sigmatch_table[DETECT_AL_TLS_STORE].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_STORE].AppLayerMatch = DetectTlsStoreMatch;
    sigmatch_table[DETECT_AL_TLS_STORE].alproto = ALPROTO_TLS;
--- a/src/detect.c
+++ b/src/detect.c
@ -4566,17 +4566,79 @@ int SigGroupCleanup (DetectEngineCtx *de_ctx) {
    return 0;
 }

-void SigTableList(void)
+static inline void PrintFeatureList(int flags, char sep)
+{
+    int prev = 0;
+    if (flags & SIGMATCH_NOOPT) {
+        printf("No option");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_IPONLY_COMPAT) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("IP only rule");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_DEONLY_COMPAT) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("IP only rule");
+        prev = 1;
+    }
+    if (flags & SIGMATCH_PAYLOAD) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("payload inspecting rule");
+        prev = 1;
+    }
+    if (prev == 0) {
+        printf("none");
+    }
+}
+
+void SigTableList(const char *keyword)
 {
    size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt);

    size_t i;
-    printf("=====Supported keywords=====\n");
-    for (i = 0; i < size; i++) {
-        if (sigmatch_table[i].name != NULL)
-            printf("- %s\n", sigmatch_table[i].name);
-    }

+    if (keyword == NULL) {
+        printf("=====Supported keywords=====\n");
+        for (i = 0; i < size; i++) {
+            if (sigmatch_table[i].name != NULL)
+                printf("- %s\n", sigmatch_table[i].name);
+        }
+    } else if (!strcmp("all", keyword)) {
+        printf("name;description;app layer;features\n");
+        for (i = 0; i < size; i++) {
+            if (sigmatch_table[i].name != NULL) {
+                printf("%s;", sigmatch_table[i].name);
+                if (sigmatch_table[i].desc) {
+                    printf("%s", sigmatch_table[i].desc);
+                }
+                /* Build feature */
+                printf(";%s;",
+                       TmModuleAlprotoToString(sigmatch_table[i].alproto));
+                PrintFeatureList(sigmatch_table[i].flags, ':');
+                printf("\n");
+            }
+        }
+    } else {
+        for (i = 0; i < size; i++) {
+            if ((sigmatch_table[i].name != NULL) &&
+                !strcmp(sigmatch_table[i].name, keyword)) {
+                printf("%s\n", sigmatch_table[i].name);
+                if (sigmatch_table[i].desc) {
+                    printf("Description: %s\n", sigmatch_table[i].desc);
+                }
+                printf("Protocol: %s\n",
+                       TmModuleAlprotoToString(sigmatch_table[i].alproto));
+                printf("Features: ");
+                PrintFeatureList(sigmatch_table[i].flags, ',');
+                printf("\n");
+            }
+        }
+    }
    return;
 }

--- a/src/detect.h
+++ b/src/detect.h
@ -860,6 +860,8 @@ typedef struct SigTableElmt_ {

    uint8_t flags;
    char *name;
+    char *desc;
+
 } SigTableElmt;

 #define SIG_GROUP_HEAD_MPM_COPY         (1)
@ -1115,7 +1117,7 @@ void SigAddressPrepareBidirectionals (DetectEngineCtx *);

 char *DetectLoadCompleteSigPath(char *sig_file);
 int SigLoadSignatures (DetectEngineCtx *, char *, int);
-void SigTableList(void);
+void SigTableList(const char *keyword);
 void SigTableSetup(void);
 int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
                       DetectEngineThreadCtx *det_ctx, Packet *p);
--- a/src/suricata.c
+++ b/src/suricata.c
@ -490,7 +490,7 @@ void usage(const char *progname)
    printf("\t--fatal-unittests            : enable fatal failure on unittest error\n");
 #endif /* UNITTESTS */
    printf("\t--list-app-layer-protos      : list supported app layer protocols\n");
-    printf("\t--list-keywords              : list all keywords implemented by the engine\n");
+    printf("\t--list-keywords[=any|<kword>]: list keywords implemented by the engine\n");
 #ifdef __SC_CUDA_SUPPORT__
    printf("\t--list-cuda-cards            : list cuda supported cards\n");
 #endif
@ -681,6 +681,7 @@ int main(int argc, char **argv)
    int list_cuda_cards = 0;
    int list_runmodes = 0;
    int list_keywords = 0;
+    const char *keyword_info = NULL;
    const char *runmode_custom_mode = NULL;
    int daemon = 0;
 #ifndef OS_WIN32
@ -763,7 +764,7 @@ int main(int argc, char **argv)
        {"list-unittests", 0, &list_unittests, 1},
        {"list-cuda-cards", 0, &list_cuda_cards, 1},
        {"list-runmodes", 0, &list_runmodes, 1},
-        {"list-keywords", 0, &list_keywords, 1},
+        {"list-keywords", optional_argument, &list_keywords, 1},
        {"runmode", required_argument, NULL, 0},
        {"engine-analysis", 0, &engine_analysis, 1},
 #ifdef OS_WIN32
@ -917,7 +918,9 @@ int main(int argc, char **argv)
                RunModeListRunmodes();
                exit(EXIT_SUCCESS);
            } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
-                // do nothing
+                if (optarg) {
+                    keyword_info = optarg;
+                }
            } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
                runmode_custom_mode = optarg;
            } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) {
@ -1419,7 +1422,7 @@ int main(int argc, char **argv)
    /* hardcoded initialization code */
    SigTableSetup(); /* load the rule keywords */
    if (list_keywords) {
-        SigTableList();
+        SigTableList(keyword_info);
        exit(EXIT_FAILURE);
    }
    TmqhSetup();