From af87a35aa06cf6efe2303a43f4a94dc124726341 Mon Sep 17 00:00:00 2001 From: Daniel Olatunji Date: Sun, 12 Nov 2023 17:52:33 +0000 Subject: [PATCH] detect/analyzer: add more details for tcp_mss Add more details to the tcp.mss keyword engine analysis output Issue: #6355 --- src/detect-engine-analyzer.c | 18 ++++++++++++++++++ src/detect-tcpmss.c | 27 +++++++++++++++++++++++++++ src/detect-tcpmss.h | 2 ++ 3 files changed, 47 insertions(+) diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index a37afabb0f00..af418e1035e8 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -32,6 +32,7 @@ #include "detect-engine.h" #include "detect-engine-analyzer.h" #include "detect-engine-mpm.h" +#include "detect-engine-uint.h" #include "conf.h" #include "detect-content.h" #include "detect-pcre.h" @@ -39,6 +40,7 @@ #include "detect-bytetest.h" #include "detect-flow.h" #include "detect-tcp-flags.h" +#include "detect-tcpmss.h" #include "detect-ipopts.h" #include "feature.h" #include "util-print.h" @@ -861,6 +863,22 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData * jb_close(js); break; } + case DETECT_TCPMSS: { + const DetectU16Data *cd = (const DetectU16Data *)smd->ctx; + + jb_open_object(js, "tcp_mss"); + const char *flag = TcpmssModeToString(cd->mode); + jb_set_string(js, "operand", flag); + if (strcmp(flag, "range") == 0) { + jb_set_uint(js, "min", cd->arg1); + jb_set_uint(js, "max", cd->arg2); + } else { + jb_set_uint(js, "value", cd->arg1); + } + + jb_close(js); + break; + } } jb_close(js); diff --git a/src/detect-tcpmss.c b/src/detect-tcpmss.c index 1ed04d349943..48da51218d9f 100644 --- a/src/detect-tcpmss.c +++ b/src/detect-tcpmss.c @@ -62,6 +62,33 @@ void DetectTcpmssRegister(void) return; } +/** + * \brief Return human readable value for tcp.mss mode + * + * \param mode uint8_t DetectU16Data tcp.mss mode value + */ +const char *TcpmssModeToString(uint8_t mode) +{ + switch (mode) { + case 0: + return "equal"; + case 1: + return "less than"; + case 2: + return "less than or equal to"; + case 3: + return "greater than"; + case 4: + return "greater than or equal to"; + case 5: + return "range"; + case 6: + return "not equal to"; + default: + return NULL; + } +} + /** * \brief This function is used to match TCPMSS rule option on a packet with those passed via * tcpmss: diff --git a/src/detect-tcpmss.h b/src/detect-tcpmss.h index d01f2819b563..fa014a50a830 100644 --- a/src/detect-tcpmss.h +++ b/src/detect-tcpmss.h @@ -26,4 +26,6 @@ void DetectTcpmssRegister(void); +const char *TcpmssModeToString(uint8_t mode); + #endif /* _DETECT_TCPMSS_H */