diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst index 89fac2509e..1e453863f5 100644 --- a/doc/userguide/rules/header-keywords.rst +++ b/doc/userguide/rules/header-keywords.rst @@ -1,5 +1,6 @@ Header Keywords =============== +.. role:: example-rule-emphasis IP-keywords ----------- @@ -27,7 +28,9 @@ routing loops. Example of the ttl keyword in a rule: -.. image:: header-keywords/ttl.png +.. container:: example-rule + + alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;) Ipopts ^^^^^^ @@ -37,7 +40,20 @@ set. Ipopts has to be used at the beginning of a rule. You can only match on one option per rule. There are several options on which can be matched. These are: -.. image:: header-keywords/ipopts.png +========= ============================= +IP Option Description +========= ============================= +rr Record Route +eol End of List +nop No Op +ts Time Stamp +sec IP Security +esec IP Extended Security +lsrr Loose Source Routing +ssrr Strict Source Routing +satid Stream Identifier +any any IP options are set +========= ============================= Format of the ipopts keyword:: @@ -49,7 +65,9 @@ For example:: Example of ipopts in a rule: -.. image:: header-keywords/ipopts_rule.png +.. container:: example-rule + + alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; :example-rule-emphasis:`ipopts:ssrr;` reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;) sameip ^^^^^^ @@ -64,7 +82,9 @@ keyword is:: Example of sameip in a rule: -.. image:: header-keywords/sameip.png +.. container:: example-rule + + alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; :example-rule-emphasis:`sameip;` reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;) ip_proto ^^^^^^^^ @@ -86,7 +106,9 @@ http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers Example of ip_proto in a rule: -.. image:: header-keywords/ip_proto.png +.. container:: example-rule + + alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;) The named variante of that example would be:: @@ -110,7 +132,9 @@ Format of id:: Example of id in a rule: -.. image:: header-keywords/id.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;) Geoip ^^^^^ @@ -174,7 +198,9 @@ Format:: Example of fragbits in a rule: -.. image:: header-keywords/fragbits.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Fragoffset ^^^^^^^^^^ @@ -199,7 +225,9 @@ Format of fragoffset:: Example of fragoffset in a rule: -.. image:: header-keywords/fragoffset.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: M; :example-rule-emphasis:`fragoffset: >0;` reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) TCP keywords ------------ @@ -226,7 +254,9 @@ Example:: Example of seq in a signature: -.. image:: header-keywords/seq.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; :example-rule-emphasis:`seq:0;` reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;) Example of seq in a packet (Wireshark): @@ -249,7 +279,9 @@ Format of ack:: Example of ack in a signature: -.. image:: header-keywords/ack.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; :example-rule-emphasis:`ack:0;` flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;) Example of ack in a packet (Wireshark): @@ -275,7 +307,9 @@ The format of the window keyword:: Example of window in a rule: -.. image:: header-keywords/Window.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) ICMP keywords ------------- @@ -316,7 +350,44 @@ This example looks for an ICMP type greater than 10:: Example of the itype keyword in a signature: -.. image:: header-keywords/icmp_type.png +.. container:: example-rule + + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; :example-rule-emphasis:`itype:8;` classtype:attempted-recon; sid:2100478; rev:4;) + +The following lists all ICMP types known at the time of writing. A recent table can be found `at the website of IANA `_ + +========== ========================================================== +ICMP Type Name +========== ========================================================== +0 Echo Reply +3 Destination Unreachable +4 Source Quench +5 Redirect +6 Alternate Host Address +8 Echo +9 Router Advertisement +10 Router Solicitation +11 Time Exceeded +12 Parameter Problem +13 Timestamp +14 Timestamp Reply +15 Information Request +16 Information Reply +17 Address Mask Request +18 Address Mask Reply +30 Traceroute +31 Datagram Conversion Error +32 Mobile Host Redirect +33 IPv6 Where-Are-You +34 IPv6 I-Am-Here +35 Mobile Registration Request +36 Mobile Registration Reply +37 Domain Name Request +38 Domain Name Reply +39 SKIP +40 Photuris +41 Experimental mobility protocols such as Seamoby +========== ========================================================== icode ^^^^^ @@ -338,7 +409,51 @@ This example looks for an ICMP code greater than 5:: Example of the icode keyword in a rule: -.. image:: header-keywords/icode.png +.. container:: example-rule + + alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; :example-rule-emphasis:`icode:0;` itype:11; classtype:misc-activity; sid:2100449; rev:7;) + +The following lists the meaning of all ICMP types. When a code is not listed, +only type 0 is defined and has the meaning of the ICMP code, in the table above. +A recent table can be found `at the website of IANA `_ + +========== ========== ========================================================================= +ICMP Code ICMP Type Description +========== ========== ========================================================================= +3 - 0 - Net Unreachable + - 1 - Host Unreachable + - 2 - Protocol Unreachable + - 3 - Port Unreachable + - 4 - Fragmentation Needed and Don't Fragment was Set + - 5 - Source Route Failed + - 6 - Destination Network Unknown + - 7 - Destination Host Unknown + - 8 - Source Host Isolated + - 9 - Communication with Destination Network is Administratively Prohibited + - 10 - Communication with Destination Host is Administratively Prohibited + - 11 - Destination Network Unreachable for Type of Service + - 12 - Destination Host Unreachable for Type of Service + - 13 - Communication Administratively Prohibited + - 14 - Host Precedence Violation + - 15 - Precedence cutoff in effect +5 - 0 - Redirect Datagram for the Network (or subnet) + - 1 - Redirect Datagram for the Host + - 2 - Redirect Datagram for the Type of Service and Network + - 3 - Redirect Datagram for the Type of Service and Host +9 - 0 - Normal router advertisement + - 16 - Doest not route common traffic +11 - 0 - Time to Live exceeded in Transit + - 1 - Fragment Reassembly Time Exceeded +12 - 0 - Pointer indicates the error + - 1 - Missing a Required Option + - 2 - Bad Length +40 - 0 - Bad SPI + - 1 - Authentication Failed + - 2 - Decompression Failed + - 3 - Decryption Failed + - 4 - Need Authentication + - 5 - Need Authorization +========== ========== ========================================================================= icmp_id ^^^^^^^ @@ -360,7 +475,9 @@ This example looks for an ICMP ID of 0:: Example of the icmp_id keyword in a rule: -.. image:: header-keywords/icmp_id.png +.. container:: example-rule + + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; :example-rule-emphasis:`icmp_id:0;` icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4;) icmp_seq ^^^^^^^^ @@ -381,12 +498,6 @@ This example looks for an ICMP Sequence of 0:: Example of icmp_seq in a rule: -.. image:: header-keywords/icmp_seq.png - -Message types and numbers: - -.. image:: header-keywords/ICMP_types.png - -Meaning of type-numbers en codes combined: +.. container:: example-rule -.. image:: header-keywords/ICMP_type_code.png + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;) diff --git a/doc/userguide/rules/header-keywords/ICMP_type_code.png b/doc/userguide/rules/header-keywords/ICMP_type_code.png deleted file mode 100644 index e14239e84e..0000000000 Binary files a/doc/userguide/rules/header-keywords/ICMP_type_code.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ICMP_types.png b/doc/userguide/rules/header-keywords/ICMP_types.png deleted file mode 100644 index a1589d8d89..0000000000 Binary files a/doc/userguide/rules/header-keywords/ICMP_types.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/Window.png b/doc/userguide/rules/header-keywords/Window.png deleted file mode 100644 index 1d1a53ee10..0000000000 Binary files a/doc/userguide/rules/header-keywords/Window.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ack.png b/doc/userguide/rules/header-keywords/ack.png deleted file mode 100644 index b5bd788c7e..0000000000 Binary files a/doc/userguide/rules/header-keywords/ack.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/fragbits.png b/doc/userguide/rules/header-keywords/fragbits.png deleted file mode 100644 index 30d497f1eb..0000000000 Binary files a/doc/userguide/rules/header-keywords/fragbits.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/fragoffset.png b/doc/userguide/rules/header-keywords/fragoffset.png deleted file mode 100644 index a5c1ecec7f..0000000000 Binary files a/doc/userguide/rules/header-keywords/fragoffset.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_id.png b/doc/userguide/rules/header-keywords/icmp_id.png deleted file mode 100644 index 6db0c5828f..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_id.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_seq.png b/doc/userguide/rules/header-keywords/icmp_seq.png deleted file mode 100644 index bcfcdc7041..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_seq.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_type.png b/doc/userguide/rules/header-keywords/icmp_type.png deleted file mode 100644 index 7ca579e458..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_type.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icode.png b/doc/userguide/rules/header-keywords/icode.png deleted file mode 100644 index 3535e55ac0..0000000000 Binary files a/doc/userguide/rules/header-keywords/icode.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/id.png b/doc/userguide/rules/header-keywords/id.png deleted file mode 100644 index 0285b8e403..0000000000 Binary files a/doc/userguide/rules/header-keywords/id.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ip_proto.png b/doc/userguide/rules/header-keywords/ip_proto.png deleted file mode 100644 index 1e5bc503d9..0000000000 Binary files a/doc/userguide/rules/header-keywords/ip_proto.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ipopts.png b/doc/userguide/rules/header-keywords/ipopts.png deleted file mode 100644 index 666c178427..0000000000 Binary files a/doc/userguide/rules/header-keywords/ipopts.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ipopts_rule.png b/doc/userguide/rules/header-keywords/ipopts_rule.png deleted file mode 100644 index c0f817ab80..0000000000 Binary files a/doc/userguide/rules/header-keywords/ipopts_rule.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/sameip.png b/doc/userguide/rules/header-keywords/sameip.png deleted file mode 100644 index 56e0f32f62..0000000000 Binary files a/doc/userguide/rules/header-keywords/sameip.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/seq.png b/doc/userguide/rules/header-keywords/seq.png deleted file mode 100644 index aa0cea5367..0000000000 Binary files a/doc/userguide/rules/header-keywords/seq.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ttl.png b/doc/userguide/rules/header-keywords/ttl.png deleted file mode 100644 index 3b18792aef..0000000000 Binary files a/doc/userguide/rules/header-keywords/ttl.png and /dev/null differ diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 6d38460b97..543ec9b3ba 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -2,6 +2,7 @@ HTTP Keywords ============= +.. role:: example-rule-emphasis There are additional content modifiers that can provide protocol-specific capabilities at the application layer. More information can be found at @@ -193,7 +194,9 @@ request URI buffer. Example of ``uricontent``: -.. image:: http-keywords/uricontent.png +.. container:: example-rule + + alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; :example-rule-emphasis:`uricontent:"/frame.html?";` urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;) The difference between ``http_uri`` and ``uricontent`` is the syntax: @@ -229,7 +232,9 @@ Example: Example of ``urilen`` in a signature: -.. image:: http-keywords/urilen1.png +.. container:: example-rule + + alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; :example-rule-emphasis:`urilen: > 80;` classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;) You can also append ``norm`` or ``raw`` to define what sort of buffer you want to use (normalized or raw buffer). diff --git a/doc/userguide/rules/http-keywords/uricontent.png b/doc/userguide/rules/http-keywords/uricontent.png deleted file mode 100644 index b9e8aad274..0000000000 Binary files a/doc/userguide/rules/http-keywords/uricontent.png and /dev/null differ diff --git a/doc/userguide/rules/http-keywords/urilen1.png b/doc/userguide/rules/http-keywords/urilen1.png deleted file mode 100644 index 8a11075fca..0000000000 Binary files a/doc/userguide/rules/http-keywords/urilen1.png and /dev/null differ diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst index fb20a1c7ec..507d5b528f 100644 --- a/doc/userguide/rules/intro.rst +++ b/doc/userguide/rules/intro.rst @@ -15,9 +15,20 @@ A rule/signature consists of the following: The action, header and rule-options. +.. role:: example-rule-action +.. role:: example-rule-header +.. role:: example-rule-options +.. role:: example-rule-emphasis + Example of a signature: -.. image:: intro/intro_sig.png +.. container:: example-rule + + :example-rule-action:`drop` :example-rule-header:`tcp $HOME_NET any -> $EXTERNAL_NET any` :example-rule-options:`(msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)` + +In this example, :example-rule-action:`red` is the action, +:example-rule-header:`green` is the header and :example-rule-options:`blue` +are the options. Action ------ @@ -25,11 +36,9 @@ Action For more information read 'Action Order' see :ref:`suricata-yaml-action-order`. -Example: - -.. image:: intro/action.png +.. container:: example-rule -In this example the red, bold-faced part is the action. + :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Protocol -------- @@ -45,7 +54,9 @@ match if it concerns http-traffic. Example: -.. image:: intro/protocol.png +.. container:: example-rule + + drop :example-rule-emphasis:`tcp` $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the protocol. @@ -83,13 +94,11 @@ You can not write a signature using EXTERNAL_NET because it stands for Example of source and destination in a signature: -.. image:: intro/Source.png +.. container:: example-rule -The red, bold-faced part is the source. + drop tcp :example-rule-emphasis:`$HOME_NET` any -> :example-rule-emphasis:`$EXTERNAL_NET` any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) -.. image:: intro/destination.png - -The red, bold-faced part is the destination. +*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).* Ports (source-and destination-port) ----------------------------------- @@ -120,10 +129,11 @@ Example:: Example of ports in a signature: -.. image:: intro/Source-port.png +.. container:: example-rule + drop tcp $HOME_NET :example-rule-emphasis:`any` -> $EXTERNAL_NET :example-rule-emphasis:`any` (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) -.. image:: intro/Dest_port.png +*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).* In this example, the red, bold-faced part is the port. @@ -152,7 +162,9 @@ same order/direction as the payload. Example of direction in a signature: -.. image:: intro/Direction.png +.. container:: example-rule + + drop tcp $HOME_NET any :example-rule-emphasis:`->` $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the direction. diff --git a/doc/userguide/rules/intro/Dest_port.png b/doc/userguide/rules/intro/Dest_port.png deleted file mode 100644 index 43e04147b8..0000000000 Binary files a/doc/userguide/rules/intro/Dest_port.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Direction.png b/doc/userguide/rules/intro/Direction.png deleted file mode 100644 index bdd2378e9f..0000000000 Binary files a/doc/userguide/rules/intro/Direction.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Source-port.png b/doc/userguide/rules/intro/Source-port.png deleted file mode 100644 index c046c49a53..0000000000 Binary files a/doc/userguide/rules/intro/Source-port.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Source.png b/doc/userguide/rules/intro/Source.png deleted file mode 100644 index d0d1baaa38..0000000000 Binary files a/doc/userguide/rules/intro/Source.png and /dev/null differ diff --git a/doc/userguide/rules/intro/action.png b/doc/userguide/rules/intro/action.png deleted file mode 100644 index 4d67d152b0..0000000000 Binary files a/doc/userguide/rules/intro/action.png and /dev/null differ diff --git a/doc/userguide/rules/intro/destination.png b/doc/userguide/rules/intro/destination.png deleted file mode 100644 index 3fc44dbc67..0000000000 Binary files a/doc/userguide/rules/intro/destination.png and /dev/null differ diff --git a/doc/userguide/rules/intro/intro_sig.png b/doc/userguide/rules/intro/intro_sig.png deleted file mode 100644 index b726fc5dcb..0000000000 Binary files a/doc/userguide/rules/intro/intro_sig.png and /dev/null differ diff --git a/doc/userguide/rules/intro/protocol.png b/doc/userguide/rules/intro/protocol.png deleted file mode 100644 index 2e0ef370a9..0000000000 Binary files a/doc/userguide/rules/intro/protocol.png and /dev/null differ diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 15edb28616..1feee768c2 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -1,6 +1,8 @@ Meta-settings ============= +.. role:: example-rule-emphasis + Meta-settings have no effect on Suricata's inspection; they do have an effect on the way Suricata reports events. msg (message) @@ -26,6 +28,10 @@ It is a convention that msg is always the first keyword of a signature. Another example of msg in a signature: +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (:example-rule-emphasis:`msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)";` flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) + In this example the red, bold-faced part is the msg. .. note:: The following characters must be escaped inside the msg: @@ -44,7 +50,9 @@ The format of sid is: Example of sid in a signature: -.. image:: meta/sid.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; :example-rule-emphasis:`sid:2008124;` rev:2;) In this example the red, bold-faced part is the sid. @@ -65,7 +73,9 @@ of all keywords.* Example of rev in a signature: -.. image:: meta/rev.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; :example-rule-emphasis:`rev:2;`) In this example the red, bold-faced part is the rev. @@ -80,7 +90,10 @@ the alert. Example of gid in a signature: -.. image:: meta/gid.png +.. container:: example-rule + + 10/15/09-03:30:10.219671 [**] [:example-rule-emphasis:`1`:2008124:2] ET TROJAN Likely Bot Nick in IRC (USA +..) [**] [Classification: A Network Trojan was Detected] + [Priority: 3] {TCP} 192.168.1.42:1028 -> 72.184.196.31:6667 This is an example from the fast.log. In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev). @@ -102,14 +115,21 @@ Example classtype:: config classification: web-application-attack,Web Application Attack,1 config classification: not-suspicious,Not Suspicious Traffic,3 -.. image:: meta/classification.png +======================= ====================== =========== +classtype Alert Priority +======================= ====================== =========== +web-application-attack Web Application Attack 1 +not-suspicious Not Suspicious Traffic 3 +======================= ====================== =========== In this example you see how classtype appears in signatures, the classification.config and the alert. Another example of classtype in a signature: -.. image:: meta/classtype.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; :example-rule-emphasis:`classtype:trojan-activity;` sid:2008124; rev:2;) In this example the red, bold-faced part is the classtype. @@ -152,7 +172,9 @@ For example bugtraq will be replaced by the full url: Example of reference in a signature: -.. image:: meta/reference.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; :example-rule-emphasis:`reference:url,doc.emergingthreats.net/2008124;` classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the action. diff --git a/doc/userguide/rules/meta/classification.png b/doc/userguide/rules/meta/classification.png deleted file mode 100644 index 456b1ee30a..0000000000 Binary files a/doc/userguide/rules/meta/classification.png and /dev/null differ diff --git a/doc/userguide/rules/meta/classtype.png b/doc/userguide/rules/meta/classtype.png deleted file mode 100644 index 3d891943d2..0000000000 Binary files a/doc/userguide/rules/meta/classtype.png and /dev/null differ diff --git a/doc/userguide/rules/meta/gid.png b/doc/userguide/rules/meta/gid.png deleted file mode 100644 index 051eecbf5d..0000000000 Binary files a/doc/userguide/rules/meta/gid.png and /dev/null differ diff --git a/doc/userguide/rules/meta/msg.png b/doc/userguide/rules/meta/msg.png deleted file mode 100644 index 8d1e1beeb9..0000000000 Binary files a/doc/userguide/rules/meta/msg.png and /dev/null differ diff --git a/doc/userguide/rules/meta/reference.png b/doc/userguide/rules/meta/reference.png deleted file mode 100644 index 8ed3057ef8..0000000000 Binary files a/doc/userguide/rules/meta/reference.png and /dev/null differ diff --git a/doc/userguide/rules/meta/rev.png b/doc/userguide/rules/meta/rev.png deleted file mode 100644 index d6f039fbdb..0000000000 Binary files a/doc/userguide/rules/meta/rev.png and /dev/null differ diff --git a/doc/userguide/rules/meta/sid.png b/doc/userguide/rules/meta/sid.png deleted file mode 100644 index 7952641d64..0000000000 Binary files a/doc/userguide/rules/meta/sid.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 42b6f70d01..47d44f9a3a 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -1,5 +1,6 @@ Payload Keywords ================ +.. role:: example-rule-emphasis .. toctree:: :maxdepth: 2 @@ -67,7 +68,9 @@ If you add nothing special to the signature, it will try to find a match in all Example: -.. image:: payload-keywords/content.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; :example-rule-emphasis:`content:"NICK ";` pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example, the red, bold-faced part is the content. @@ -249,7 +252,9 @@ Format:: example of dsize in a rule: -.. image:: payload-keywords/dsize.png +.. container:: example-rule + + alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) rpc ---- @@ -271,7 +276,9 @@ Format:: Example of the rpc keyword in a rule: -.. image:: payload-keywords/rpc.png +.. container:: example-rule + + alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) Replace ------- diff --git a/doc/userguide/rules/payload-keywords/content.png b/doc/userguide/rules/payload-keywords/content.png deleted file mode 100644 index 267f9ee511..0000000000 Binary files a/doc/userguide/rules/payload-keywords/content.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords/dsize.png b/doc/userguide/rules/payload-keywords/dsize.png deleted file mode 100644 index 5973f9d2a8..0000000000 Binary files a/doc/userguide/rules/payload-keywords/dsize.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords/rpc.png b/doc/userguide/rules/payload-keywords/rpc.png deleted file mode 100644 index f5965eb8f3..0000000000 Binary files a/doc/userguide/rules/payload-keywords/rpc.png and /dev/null differ