aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: add bsize documentation and rule example

Browse Source 
Signed-off-by: jason taylor <jtfas90@gmail.com>
pull/4460/head
jason taylor 6 years ago committed by Victor Julien
parent 5ee8323028
commit 4f7dc4f136
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File

15
doc/userguide/rules/payload-keywords.rst
Unescape Escape View File

@ -264,6 +264,21 @@ You can also use the negation (!) before isdataat.
.. image:: payload-keywords/isdataat1.png .. image:: payload-keywords/isdataat1.png
bsize
-----
With the bsize keyword, you can match on the length of the buffer. This adds precision to the content match, previously this could have been done with isdataat.
Format::
bsize:<number>;
Example of bsize in a rule:
.. container:: example-rule
alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"google.com"; bsize:10; sid:123; rev:1;)
dsize dsize
----- -----

Write Preview
Loading…
Cancel
Save