documentation: sticky buffer updates

This changeset updates the userguide for the TLS and JA3 keywords that have been renamed from <id>_<name> to <id.name>
6 years ago · 97fc7c1e1a
parent 7f102d95b6
commit 97fc7c1e1a
2 changed files with 61 additions and 33 deletions
--- a/doc/userguide/rules/ja3-keywords.rst
+++ b/doc/userguide/rules/ja3-keywords.rst
@ -5,7 +5,7 @@ Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 i

 JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').

-ja3_hash
+ja3.hash
 --------

 Match on JA3 hash (md5).
@ -13,14 +13,18 @@ Match on JA3 hash (md5).
 Example::

  alert tls any any -> any any (msg:"match JA3 hash"; \
-      ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
+      ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \
      sid:100001;)

-``ja3_hash`` is a 'Sticky buffer'.
+``ja3.hash`` is a 'Sticky buffer'.

-``ja3_hash`` can be used as ``fast_pattern``.
+``ja3.hash`` can be used as ``fast_pattern``.

-ja3_string
+``ja3.hash`` replaces the previous keyword name: ``ja3_hash``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
+
+ja3.string
 ----------

 Match on JA3 string.
@ -28,9 +32,13 @@ Match on JA3 string.
 Example::

  alert tls any any -> any any (msg:"match JA3 string"; \
-      ja3_string; content:"19-20-21-22"; \
+      ja3.string; content:"19-20-21-22"; \
      sid:100002;)

-``ja3_string`` is a 'Sticky buffer'.
+``ja3.string`` is a 'Sticky buffer'.
+
+``ja3.string`` can be used as ``fast_pattern``.

-``ja3_string`` can be used as ``fast_pattern``.
+``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@ -3,35 +3,43 @@ SSL/TLS Keywords

 Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches.

-tls_cert_subject
+tls.cert_subject
 ----------------

 Match TLS/SSL certificate Subject field.

 Examples::

-  tls_cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
-  tls_cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";
+  tls.cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative;
+  tls.cert_subject; content:"google.com"; nocase; pcre:"/google.com$/";

-``tls_cert_subject`` is a 'Sticky buffer'.
+``tls.cert_subject`` is a 'Sticky buffer'.

-``tls_cert_subject`` can be used as ``fast_pattern``.
+``tls.cert_subject`` can be used as ``fast_pattern``.

-tls_cert_issuer
+``tls.cert_subject`` replaces the previous keyword name: ``tls_cert_subject``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
+
+tls.cert_issuer
 ---------------

 Match TLS/SSL certificate Issuer field.

 Examples::

-  tls_cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
-  tls_cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
+  tls.cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative;
+  tls.cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/";
+
+``tls.cert_issuer`` is a 'Sticky buffer'.

-``tls_cert_issuer`` is a 'Sticky buffer'.
+``tls.cert_issuer`` can be used as ``fast_pattern``.

-``tls_cert_issuer`` can be used as ``fast_pattern``.
+``tls.cert_issuer`` replaces the previous keyword name: ``tls_cert_issuer``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.

-tls_cert_serial
+tls.cert_serial
 ---------------

 Match on the serial number in a certificate.
@ -39,13 +47,17 @@ Match on the serial number in a certificate.
 Example::

  alert tls any any -> any any (msg:"match cert serial"; \
-    tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
+    tls.cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;)
+
+``tls.cert_serial`` is a 'Sticky buffer'.

-``tls_cert_serial`` is a 'Sticky buffer'.
+``tls.cert_serial`` can be used as ``fast_pattern``.

-``tls_cert_serial`` can be used as ``fast_pattern``.
+``tls.cert_serial`` replaces the previous keyword name: ``tls_cert_serial``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.

-tls_cert_fingerprint
+tls.cert_fingerprint
 --------------------

 Match on the SHA-1 fingerprint of the certificate.
@ -53,27 +65,35 @@ Match on the SHA-1 fingerprint of the certificate.
 Example::

  alert tls any any -> any any (msg:"match cert fingerprint"; \
-    tls_cert_fingerprint; \
+    tls.cert_fingerprint; \
    content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \
    sid:200023;)

-``tls_cert_fingerprint`` is a 'Sticky buffer'.
+``tls.cert_fingerprint`` is a 'Sticky buffer'.

-``tls_cert_fingerprint`` can be used as ``fast_pattern``.
+``tls.cert_fingerprint`` can be used as ``fast_pattern``.

-tls_sni
+``tls.cert_fingerprint`` replaces the previous keyword name: ``tls_cert_fingerprint`` may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.
+
+tls.sni
 -------

 Match TLS/SSL Server Name Indication field.

 Examples::

-  tls_sni; content:"oisf.net"; nocase; isdataat:!1,relative;
-  tls_sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";
+  tls.sni; content:"oisf.net"; nocase; isdataat:!1,relative;
+  tls.sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/";
+
+``tls.sni`` is a 'Sticky buffer'.

-``tls_sni`` is a 'Sticky buffer'.
+``tls.sni`` can be used as ``fast_pattern``.

-``tls_sni`` can be used as ``fast_pattern``.
+``tls.sni`` replaces the previous keyword name: ``tls_sni``. You may continue
+to use the previous name, but it's recommended that rules be converted to use
+the new name.

 tls_cert_notbefore
 ------------------
@ -166,7 +186,7 @@ example:

 Case sensitive, can't use 'nocase'.

-Legacy keyword. ``tls_cert_subject`` is the replacement.
+Legacy keyword. ``tls.cert_subject`` is the replacement.

 tls.issuerdn
 ------------
@ -182,7 +202,7 @@ example:

 Case sensitive, can't use 'nocase'.

-Legacy keyword. ``tls_cert_issuer`` is the replacement.
+Legacy keyword. ``tls.cert_issuer`` is the replacement.

 tls.fingerprint
 ---------------