From 19d173e234bcd2a3c2ac869694f49286b294b3d7 Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Tue, 11 Jan 2022 22:37:55 +0100
Subject: [PATCH] analysis: fix mpm for suricata 6.0.x

---
 suricatals/tests_rules.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/suricatals/tests_rules.py b/suricatals/tests_rules.py
index a1a20af..6c6bf62 100644
--- a/suricatals/tests_rules.py
+++ b/suricatals/tests_rules.py
@@ -416,6 +416,20 @@ def parse_engine_analysis_v2(self, json_path):
                     if not 'info' in signature_msg:
                         signature_msg['info'] = []
                     signature_msg['info'].append('Fast Pattern "%s" on %s' % (signature_info['mpm']['pattern'], signature_info['mpm']['buffer']))
+                elif 'engines' in signature_info:
+                    # Suricata 6.0.x don't have the mpm sub object
+                    fp_buffer = None
+                    fp_pattern = None
+                    for engine in signature_info['engines']:
+                        if engine['is_mpm']:
+                            fp_buffer = engine['name']
+                            for match in engine.get('matches', []):
+                                if match.get('content', {}).get('is_mpm', False):
+                                    fp_pattern = match['content']['pattern']
+                    if fp_buffer and fp_pattern:
+                        if not 'info' in signature_msg:
+                            signature_msg['info'] = []
+                        signature_msg['info'].append('Fast Pattern "%s" on %s' % (fp_pattern, fp_buffer))
                 if 'warnings' in signature_info:
                     if not 'warnings' in signature_msg:
                         signature_msg['warnings'] = []