detect/analyzer: add more details for tcp_mss

Add more details to the tcp.mss keyword engine analysis output Issue: #6355
OISF · Nov 13, 2023 · 0ae40a8 · 0ae40a8
1 parent b6cd66f
commit 0ae40a8
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 0 deletions.
diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
@@ -32,13 +32,15 @@
 #include "detect-engine.h"
 #include "detect-engine-analyzer.h"
 #include "detect-engine-mpm.h"
+#include "detect-engine-uint.h"
 #include "conf.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-bytejump.h"
 #include "detect-bytetest.h"
 #include "detect-flow.h"
 #include "detect-tcp-flags.h"
+#include "detect-tcpmss.h"
 #include "detect-ipopts.h"
 #include "feature.h"
 #include "util-print.h"
@@ -861,6 +863,22 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                 jb_close(js);
                 break;
             }
+            case DETECT_TCPMSS: {
+                const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
+
+                jb_open_object(js, "tcp_mss");
+                const char *flag = DetectTcpmssModeToString(cd->mode);
+                jb_set_string(js, "operand", flag);
+                if (strcmp(flag, "range") == 0) {
+                    jb_set_uint(js, "min", cd->arg1);
+                    jb_set_uint(js, "max", cd->arg2);
+                } else {
+                    jb_set_uint(js, "value", cd->arg1);
+                }
+
+                jb_close(js);
+                break;
+            }
         }
         jb_close(js);
 

diff --git a/src/detect-tcpmss.c b/src/detect-tcpmss.c
@@ -62,6 +62,33 @@ void DetectTcpmssRegister(void)
     return;
 }
 
+/**
+ * \brief Return human readable value for tcp.mss mode
+ *
+ * \param mode uint8_t DetectU16Data tcp.mss mode value
+ */
+const char *DetectTcpmssModeToString(DetectUintMode mode)
+{
+    switch (mode) {
+        case DetectUintModeEqual:
+            return "equal";
+        case DetectUintModeLt:
+            return "less than";
+        case DetectUintModeLte:
+            return "less than or equal to";
+        case DetectUintModeGt:
+            return "greater than";
+        case DetectUintModeGte:
+            return "greater than or equal to";
+        case DetectUintModeRange:
+            return "range";
+        case DetectUintModeNe:
+            return "not equal to";
+        default:
+            return NULL;
+    }
+}
+
 /**
  * \brief This function is used to match TCPMSS rule option on a packet with those passed via
  * tcpmss:

diff --git a/src/detect-tcpmss.h b/src/detect-tcpmss.h
@@ -26,4 +26,6 @@
 
 void DetectTcpmssRegister(void);
 
+const char *DetectTcpmssModeToString(DetectUintMode mode);
+
 #endif	/* _DETECT_TCPMSS_H */