@ -34,8 +33,7 @@ Example of the ttl keyword in a rule:
ipopts
ipopts
^^^^^^
^^^^^^
With the ipopts keyword you can check if a specific IP option is
With the ipopts keyword you can check if a specific ip option is
set. Ipopts has to be used at the beginning of a rule. You can only
set. Ipopts has to be used at the beginning of a rule. You can only
match on one option per rule. There are several options on which can
match on one option per rule. There are several options on which can
be matched. These are:
be matched. These are:
@ -88,7 +86,6 @@ Example of sameip in a rule:
ip_proto
ip_proto
^^^^^^^^
^^^^^^^^
With the ip_proto keyword you can match on the IP protocol in the
With the ip_proto keyword you can match on the IP protocol in the
packet-header. You can use the name or the number of the protocol.
packet-header. You can use the name or the number of the protocol.
You can match for example on the following protocols::
You can match for example on the following protocols::
@ -110,7 +107,7 @@ Example of ip_proto in a rule:
alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;)
alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;)
The named variante of that example would be::
The named variant of that example would be::
ip_proto:PIM
ip_proto:PIM
@ -138,7 +135,6 @@ Example of id in a rule:
geoip
geoip
^^^^^
^^^^^
The geoip keyword enables (you) to match on the source, destination or
The geoip keyword enables (you) to match on the source, destination or
source and destination IP addresses of network traffic, and to see to
source and destination IP addresses of network traffic, and to see to
which country it belongs. To be able to do this, Suricata uses GeoIP
which country it belongs. To be able to do this, Suricata uses GeoIP
@ -163,12 +159,8 @@ direction you would like to match::
The keyword only supports IPv4. As it uses the GeoIP API of Maxmind,
The keyword only supports IPv4. As it uses the GeoIP API of Maxmind,
libgeoip must be compiled in.
libgeoip must be compiled in.
fragbits (IP fragmentation)
Fragments
^^^^^^^^^^^^^^^^^^^^^^^^^^^
---------
fragbits
^^^^^^^^
With the fragbits keyword, you can check if the fragmentation and
With the fragbits keyword, you can check if the fragmentation and
reserved bits are set in the IP header. The fragbits keyword should be
reserved bits are set in the IP header. The fragbits keyword should be
@ -234,7 +226,6 @@ TCP keywords
seq
seq
^^^
^^^
The seq keyword can be used in a signature to check for a specific TCP
The seq keyword can be used in a signature to check for a specific TCP
sequence number. A sequence number is a number that is generated
sequence number. A sequence number is a number that is generated
practically at random by both endpoints of a TCP-connection. The
practically at random by both endpoints of a TCP-connection. The
@ -455,6 +446,7 @@ ICMP Code ICMP Type Description
Ralph Broenink
8 years ago
committed by
Victor Julien