doc: add ip.dst and ip.src doc

3 years ago · da8b16eaeb
parent 3599cbf1c4
commit da8b16eaeb
2 changed files with 30 additions and 0 deletions
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -37,6 +37,7 @@ Suricata Rules
   xbits
   thresholding
   ip-reputation-rules
+   ipaddr
   config
   datasets
   lua-detection
--- a/doc/userguide/rules/ipaddr.rst
+++ b/doc/userguide/rules/ipaddr.rst
@ -0,0 +1,29 @@
+IP Addresses Match
+==================
+
+Matching on IP addresses can be done via the IP tuple parameters or via the iprep keywords (see :doc:`/rules/ip-reputation-rules`).
+Some keywords providing interaction with datasets are also available.
+
+ip.src
+------
+
+The `ip.src` keyword is a sticky buffer to match on source IP address. It matches on the binary representation
+and is compatible with datasets of types `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound bad list"; flow:to_server; ip.src; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)
+
+ip.dst
+------
+
+The `ip.dst` keyword is a sticky buffer to match on destination IP address. It matches on the binary representation
+and is compatible with the dataset of type `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $HOME_NET any -> any any (msg:"Outbound bad list"; flow:to_server; ip.dst; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)