doc: integer keywords

Ticket: 6628 Document the generic detection capabilities for integer keywords. and make every integer keyword pointing to this section.
2 years ago · b8bc2c7e0f
parent d05f3ac791
commit b8bc2c7e0f
13 changed files with 130 additions and 0 deletions
--- a/doc/userguide/rules/dhcp-keywords.rst
+++ b/doc/userguide/rules/dhcp-keywords.rst
@ -6,6 +6,8 @@ dhcp.leasetime
 DHCP lease time (integer).
 dhcp.leasetime uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
 dhcp.leasetime:[op]<number>
@ -25,6 +27,8 @@ dhcp.rebinding_time
 DHCP rebinding time (integer).
 dhcp.rebinding_time uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
 dhcp.rebinding_time:[op]<number>
@ -44,6 +48,8 @@ dhcp.renewal_time
 DHCP renewal time (integer).
 dhcp.renewal_time uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
 dhcp.renewal_time:[op]<number>
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@ -244,6 +244,8 @@ filesize
 Match on the size of the file as it is being transferred.
 filesize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
  filesize:<value>;
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@ -292,6 +292,8 @@ flow.age
 Flow age in seconds (integer)
 This keyword does not wait for the end of the flow, but will be checked at each packet.
 flow.age uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 Syntax::
 flow.age: [op]<number>
@ -314,6 +316,8 @@ flow.pkts_toclient
 Flow number of packets to client (integer)
 This keyword does not wait for the end of the flow, but will be checked at each packet.
 flow.pkts_toclient uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 Syntax::
 flow.pkts_toclient: [op]<number>
@ -334,6 +338,8 @@ flow.pkts_toserver
 Flow number of packets to server (integer)
 This keyword does not wait for the end of the flow, but will be checked at each packet.
 flow.pkts_toserver uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 Syntax::
 flow.pkts_toserver: [op]<number>
@ -354,6 +360,8 @@ flow.bytes_toclient
 Flow number of bytes to client (integer)
 This keyword does not wait for the end of the flow, but will be checked at each packet.
 flow.bytes_toclient uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
 flow.bytes_toclient: [op]<number>
@ -374,6 +382,8 @@ flow.bytes_toserver
 Flow number of bytes to server (integer)
 This keyword does not wait for the end of the flow, but will be checked at each packet.
 flow.bytes_toserver uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 Syntax::
 flow.bytes_toserver: [op]<number>
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@ -15,6 +15,8 @@ For example::
  ttl:10;
 ttl uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 At the end of the ttl keyword you can enter the value on which you
 want to match. The Time-to-live value determines the maximal amount
 of time a packet can be in the Internet-system. If this field is set
@ -431,6 +433,8 @@ tcp.mss
 Match on the TCP MSS option value. Will not match if the option is not
 present.
 tcp.mss uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
 The format of the keyword::
  tcp.mss:<min>-<max>;
@ -506,6 +510,8 @@ messages. The different messages are distinct by different names, but
 more important by numeric values. For more information see the table
 with message-types and codes.
 itype uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 The format of the itype keyword::
  itype:min<>max;
@ -565,6 +571,8 @@ code of a ICMP message clarifies the message. Together with the
 ICMP-type it indicates with what kind of problem you are dealing with.
 A code has a different purpose with every ICMP-type.
 icode uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 The format of the icode keyword::
  icode:min<>max;
@ -719,6 +727,8 @@ icmpv6.mtu
 Match on the ICMPv6 MTU optional value. Will not match if the MTU is not
 present.
 icmpv6.mtu uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 The format of the keyword::
  icmpv6.mtu:<min>-<max>;
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@ -237,6 +237,8 @@ The ``urilen`` keyword is used to match on the length of the request
 URI. It is possible to use the ``<`` and ``>`` operators, which
 indicate respectively *smaller than* and *larger than*.
 urilen uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 The format of ``urilen`` is::
  urilen:3;
--- a/doc/userguide/rules/http2-keywords.rst
+++ b/doc/userguide/rules/http2-keywords.rst
@ -31,6 +31,8 @@ http2.priority
 Match on the value of the HTTP2 priority field present in a PRIORITY or HEADERS frame.
 http2.priority uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
@ -49,6 +51,8 @@ http2.window
 Match on the value of the HTTP2 value field present in a WINDOWUPDATE frame.
 http2.window uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
@ -68,6 +72,8 @@ Match on the size of the HTTP2 Dynamic Headers Table.
 More information on the protocol can be found here:
 `<https://tools.ietf.org/html/rfc7541#section-6.3>`_
 http2.size_update uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
--- a/doc/userguide/rules/ike-keywords.rst
+++ b/doc/userguide/rules/ike-keywords.rst
@ -61,6 +61,8 @@ ike.exchtype
 Match on the value of the Exchange Type.
 ike.exchtype uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
@ -106,6 +108,8 @@ ike.key_exchange_payload_length
 Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
 ike.key_exchange_payload_length uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
@ -138,6 +142,8 @@ ike.nonce_payload_length
 Match against the length of the nonce of the server or client.
 ike.nonce_payload_length uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -7,6 +7,7 @@ Suricata Rules
   meta
   header-keywords
   payload-keywords
   integer-keywords
   transforms
   prefilter-keywords
   flow-keywords
--- a/doc/userguide/rules/integer-keywords.rst
+++ b/doc/userguide/rules/integer-keywords.rst
@ -0,0 +1,77 @@
 .. _rules-integer-keywords:
 Integer Keywords
 ================
 Many keywords will match on an integer value on the network traffic.
 These are unsigned integers that can be 8, 16, 32 or 64 bits.
 Simple example::
    bsize:integer value;
 The integer value can be written as base-10 like ``100`` or as 
 an hexadecimal value like ``0x64``.
 The most direct example is to match for equality, but there are
 different modes.
 Comparison modes
 ----------------
 Integers can be matched for
 * Equality
 * Inequality
 * Greater than
 * Less than
 * Range
 * Negated range
 * Bitmask
 * Negated Bitmask
 .. note::
    Comparisons are strict by default. Ranges are thus exclusive.
    That means a range between 1 and 4 will match 2 and 3, but neither 1 nor 4.
    Negated range !1-4 will match for 1 or below and for 4 or above.
 Examples::
    bsize:19; # equality
    bsize:=0x13; # equality
    bsize:!0x14; # inequality
    bsize:!=20; # inequality
    bsize:>21; # greater than
    bsize:>=21; # greater than or equal
    bsize:<22; # lesser than
    bsize:<=22; # lesser than or equal
    bsize:19-22; # range between value1 and value2
    bsize:!19-22; # negated range between value1 and value2
    bsize:&0xc0=0x80; # bitmask mask is compared to value for equality
    bsize:&0xc0!=0; # bitmask mask is compared to value for inequality
 Enumerations
 ------------
 Some integers on the wire represent an enumeration, that is, some values
 have a string/meaning associated to it.
 Rules can be written using one of these strings to check for equality.
 This is meant to make rules more human-readable and equivalent for matching.
 Examples::
    websocket.opcode:text;
    websocket.opcode:1; # behaves the same
 Bitmasks
 --------
 Some integers on the wire represent multiple bits.
 Some of these bits have a string/meaning associated to it.
 Rules can be written using a list (comma-separated) of these strings,
 where each item can be negated.
 Examples::
    websocket.flags:fin,!comp;
    websocket.flags:&0xc0=0x80; # behaves the same
--- a/doc/userguide/rules/mqtt-keywords.rst
+++ b/doc/userguide/rules/mqtt-keywords.rst
@ -8,6 +8,8 @@ mqtt.protocol_version
 Match on the value of the MQTT protocol version field in the fixed header.
 mqtt.protocol_version uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
 The format of the keyword::
  mqtt.protocol_version:<min>-<max>;
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@ -280,6 +280,8 @@ bsize
 With the ``bsize`` keyword, you can match on the length of the buffer. This adds
 precision to the content match, previously this could have been done with ``isdataat``.
 bsize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 An optional operator can be specified; if no operator is present, the operator will
 default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range),
 the bsize value will be compared using the relational operator. Ranges are inclusive.
@ -336,6 +338,8 @@ This may be convenient in detecting buffer overflows.
 dsize cannot be used when using app/streamlayer protocol keywords (i.e. http.uri)
 dsize uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
 Format::
  dsize:[<>!]number; || dsize:min<>max;
--- a/doc/userguide/rules/rfb-keywords.rst
+++ b/doc/userguide/rules/rfb-keywords.rst
@ -36,6 +36,8 @@ rfb.sectype
 Match on the value of the RFB security type field, e.g. ``2`` for VNC challenge-response authentication, ``0`` for no authentication, and ``30`` for Apple's custom Remote Desktop authentication.
 rfb.sectype uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
 * ``>`` (greater than)
--- a/doc/userguide/rules/tls-keywords.rst
+++ b/doc/userguide/rules/tls-keywords.rst
@ -284,6 +284,8 @@ tls.cert_chain_len
 Matches on the TLS certificate chain length.
 tls.cert_chain_len uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
 tls.cert_chain_len supports `<, >, <>, !` and using an exact value.
 Example::