detect/analyzer: add the type

Per rule type record properties of the type. Example output: { "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)", "id": 1001, "gid": 1, "rev": 0, "msg": "UDP with flow direction", "app_proto": "unknown", "requirements": [], "type": "pkt", "flags": [ "src_any", "dst_any", "sp_any", "dp_any", "toserver" ], "pkt_engines": [], "frame_engines": [], "lists": {} } Ticket: OISF#6085.
catenacyber · May 26, 2023 · c6d3b46 · c6d3b46
1 parent 2696fda
commit c6d3b46
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
@@ -841,6 +841,42 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
     }
     jb_close(ctx.js);
 
+    switch (s->type) {
+        case SIG_TYPE_NOT_SET:
+            jb_set_string(ctx.js, "type", "unset");
+            break;
+        case SIG_TYPE_IPONLY:
+            jb_set_string(ctx.js, "type", "ip_only");
+            break;
+        case SIG_TYPE_LIKE_IPONLY:
+            jb_set_string(ctx.js, "type", "like_ip_only");
+            break;
+        case SIG_TYPE_PDONLY:
+            jb_set_string(ctx.js, "type", "pd_only");
+            break;
+        case SIG_TYPE_DEONLY:
+            jb_set_string(ctx.js, "type", "de_only");
+            break;
+        case SIG_TYPE_PKT:
+            jb_set_string(ctx.js, "type", "pkt");
+            break;
+        case SIG_TYPE_PKT_STREAM:
+            jb_set_string(ctx.js, "type", "pkt_stream");
+            break;
+        case SIG_TYPE_STREAM:
+            jb_set_string(ctx.js, "type", "stream");
+            break;
+        case SIG_TYPE_APPLAYER:
+            jb_set_string(ctx.js, "type", "app_layer");
+            break;
+        case SIG_TYPE_APP_TX:
+            jb_set_string(ctx.js, "type", "app_tx");
+            break;
+        case SIG_TYPE_MAX:
+            jb_set_string(ctx.js, "type", "error");
+            break;
+    }
+
     jb_open_array(ctx.js, "flags");
     if (s->flags & SIG_FLAG_SRC_ANY) {
         jb_append_string(ctx.js, "src_any");