aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc/byte_math: Add byte_math differences with snort

Browse Source 
Issue: 5077
pull/7921/head
Jeff Lucovsky 3 years ago committed by Victor Julien
parent 192a31c74e
commit 33c424f9ed
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File

14
doc/userguide/rules/differences-from-snort.rst
Unescape Escape View File

@ -263,6 +263,20 @@ See :doc:`http-keywords` for all HTTP keywords.
use ``byte_extract`` and ``byte_test`` to verify that they
work as expected.
``byte_math`` Keyword
---------------------
- Suricata accepts ``dce`` as an endian value or as a separate keyword.
``endian dce`` or ``dce`` are equivalent.
- Suricata's rule parser rejects rules that repeat keywords in a single
rule. E.g., ``byte_math: endian big, endian little``.
- Suricata's rule parser accepts ``rvalue`` values of ``0`` to the maximum
uint32 value. Snort rejects ``rvalue`` values of ``0`` and requires
values to be between ``[1..max-uint32 value]``.
``isdataat`` Keyword
--------------------

Write Preview
Loading…
Cancel
Save