detect/analyzer: add more details for tcp_mss

Add more details to the tcp.mss keyword engine analysis output Issue: OISF#6355
0xEniola · Nov 11, 2023 · 7d9ef35 · 7d9ef35
1 parent b6cd66f
commit 7d9ef35
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 0 deletions.
diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
@@ -32,13 +32,15 @@
 #include "detect-engine.h"
 #include "detect-engine-analyzer.h"
 #include "detect-engine-mpm.h"
+#include "detect-engine-uint.h"
 #include "conf.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-bytejump.h"
 #include "detect-bytetest.h"
 #include "detect-flow.h"
 #include "detect-tcp-flags.h"
+#include "detect-tcpmss.h"
 #include "detect-ipopts.h"
 #include "feature.h"
 #include "util-print.h"
@@ -861,6 +863,24 @@ static void DumpMatches(RuleAnalyzer *ctx, JsonBuilder *js, const SigMatchData *
                 jb_close(js);
                 break;
             }
+            case DETECT_TCPMSS: {
+                const DetectU16Data *cd = (const DetectU16Data *)smd->ctx;
+
+                jb_open_object(js, "tcp_mss");
+                const char *flag = TcpmssModeToString(cd->mode);
+                jb_set_string(js, "operand", flag);
+
+                if (strcmp(flag, "range") == 0) {
+                    jb_set_uint(js, "min", cd->arg1);
+                    jb_set_uint(js, "max", cd->arg2);
+                }
+                else { 
+                    jb_set_uint(js, "value", cd->arg1);
+                }
+
+                jb_close(js);
+                break;
+            }
         }
         jb_close(js);
 

diff --git a/src/detect-tcpmss.c b/src/detect-tcpmss.c
@@ -62,6 +62,31 @@ void DetectTcpmssRegister(void)
     return;
 }
 
+/**
+ * \brief Return human readable value for tcp.mss mode
+ *
+ * \param mode uint8_t DetectU16Data tcp.mss mode value
+ */
+const char *TcpmssModeToString(uint8_t mode)
+{
+    switch (mode) {
+        case 0:
+            return "equal";
+        case 1:
+            return "less than";
+        case 2:
+            return "less than or equal to";
+        case 3:
+            return "greater than";
+        case 4:
+            return "greater than or equal to";
+        case 5:
+            return "range";
+        case 6:
+            return "not equal to";
+    }
+}
+
 /**
  * \brief This function is used to match TCPMSS rule option on a packet with those passed via
  * tcpmss:

diff --git a/src/detect-tcpmss.h b/src/detect-tcpmss.h
@@ -26,4 +26,6 @@
 
 void DetectTcpmssRegister(void);
 
+const char *TcpmssModeToString(uint8_t mode);
+
 #endif	/* _DETECT_TCPMSS_H */
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,4 +26,6 @@

		void DetectTcpmssRegister(void);

		const char *TcpmssModeToString(uint8_t mode);

		#endif /* _DETECT_TCPMSS_H */