aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: add note about big endian for icmp_seq match

Browse Source
pull/11804/head
jason taylor 10 months ago committed by Victor Julien
parent 1420c83a87
commit f46a8776ec
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File

6
doc/userguide/rules/header-keywords.rst
Unescape Escape View File

@ -711,6 +711,12 @@ Example of icmp_seq in a rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
.. note:: Some pcap analysis tools, like wireshark, may give both a little
endian and big endian value for ``icmp_seq``. The ``icmp_seq`` keyword
matches on the big endian value, this is due to Suricata using the network
byte order (big endian) to perform the match comparison.
icmpv4.hdr icmpv4.hdr
^^^^^^^^^^ ^^^^^^^^^^

Write Preview
Loading…
Cancel
Save