doc: multi-integers section for rules

Ticket: 7480 Describing the usage of index
2 months ago · dad424d74a
parent c0988252ba
commit dad424d74a
4 changed files with 31 additions and 0 deletions
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@ -82,6 +82,8 @@ This keyword matches on the **rrtype** (integer) found in the DNS message.

 dns.rrtype uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.

+dns.rrtype is also a :ref:`multi-integer <multi-integers>`.
+
 It can also be specified by text from the enumeration.

 Syntax
--- a/doc/userguide/rules/integer-keywords.rst
+++ b/doc/userguide/rules/integer-keywords.rst
@ -88,3 +88,26 @@ Examples::

    websocket.flags:fin,!comp;
    websocket.flags:&0xc0=0x80; # behaves the same
+
+.. _multi-integers:
+
+Multi-integers
+--------------
+
+As :ref:`multi-buffers <rules-multi-buffer-matching>` and sticky buffers,
+some integer keywords are also multi-integer.
+
+They expand the syntax of a single integer::
+ keyword: operation and value[,index];
+
+.. table:: **Index values for multi-integers keyword**
+
+    =========  ================================================
+    Value      Description
+    =========  ================================================
+    [default]  Match with any index
+    any        Match with any index
+    all        Match only if all indexes match
+    0>=        Match specific index
+    0<         Match specific index with back to front indexing
+    =========  ================================================
--- a/doc/userguide/rules/ldap-keywords.rst
+++ b/doc/userguide/rules/ldap-keywords.rst
@ -79,6 +79,8 @@ Syntax::

 ldap.responses.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.

+ldap.responses.operation is also a :ref:`multi-integer <multi-integers>`.
+
 This keyword maps to the EVE field ``ldap.responses[].operation``

 An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation
@ -272,6 +274,8 @@ Syntax::

 ldap.responses.result_code uses :ref:`unsigned 32-bit integer <rules-integer-keywords>`.

+ldap.responses.result_code is also a :ref:`multi-integer <multi-integers>`.
+
 This keyword maps to the following eve fields:

   - ``ldap.responses[].bind_response.result_code``
--- a/doc/userguide/rules/multi-buffer-matching.rst
+++ b/doc/userguide/rules/multi-buffer-matching.rst
@ -1,3 +1,5 @@
+.. _rules-multi-buffer-matching:
+
 Multiple Buffer Matching
 ========================