Commit Graph

396 Commits (b1c2643c87b0caeeccfd314842c6967119aa7d17)

Author SHA1 Message Date
jason taylor dcb548106e doc: update http.request_header keyword
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 3f5d228b9e doc: update http.host http.host.raw keyword
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 739dfe5e5e doc: update http.location keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 9ddd8cf9e0 doc: update http.server keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 3af98f3b92 doc: update http.response_body keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 64760e2e75 doc: update http.response_line keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 566bc0d39c doc: update http.stat_msg keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 271321249f doc: update http.stat_code keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 71d8488cb5 doc: update http.request_body keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor c2783e9391 doc: update http.header_names keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 5eadbc2ff0 doc: update http.start keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 7e65554462 doc: update http.referer keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 876dfb99ca doc: update http.content_len keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 8ff06c1bc0 doc: update http.content_type keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor b2854486dd doc: update http.connection keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 75436dff9c doc: update http.accept_lang keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor f6375e487e doc: update http.accept_enc keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 7e3288f5a7 doc: update http keyword normalization notes
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 9e87d89d2e doc: update http.accept keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 8307168ae7 doc: update http.user_agent keyword
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 75c4cdfa1c doc: update http.cookie keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 7a28874c8d doc: update http.header keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor b3af723486 doc: remove legacy description/duplicated data
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 292b3eb9b3 doc: update http.request_line keyword information
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor c7f351bd6e doc: update http.protocol keyword documentation
Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 2d0ceedeba doc: update urilen keyword documentation
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor ef118aa582 doc: remove legacy uricontent information
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 96e8c10276 doc: update http.uri and http.uri.raw keywords
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor bf192926a8 doc: update http.method keyword
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 0cce5ba447 doc: add http keyword links
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor fd46175203 doc: update http primer information
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor 54fd35c5b4 doc: remove legacy tables and image references
ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
Hadiqa Alamdar Bukhari 3aa313d0c5 dns: add dns.rcode keyword
dns.rcode matches the rcode header field in DNS messages
It's an unsigned integer
valid ranges = [0-15]
Does not support prefilter
Supports matches in both flow directions

Task #6621
1 year ago
Hadiqa Alamdar Bukhari 4b81851097 dns: add dns.rrtype keyword
It matches the rrtype field in DNS
It's an unsigned integer match
valid ranges = [0-65535]
Does not support prefilter
Supports flow in both directions
Feature #6666
1 year ago
Philippe Antoine e22217bda8 doc: there is no right shift for integer bitmasks
Ticket: 6628
1 year ago
Philippe Antoine f6e1a20215 detect: dns.opcode as first-class integer
Ticket: 5446

That means it can accept ranges
1 year ago
Juliana Fajardini 244a35d539 userguide: fix explanation about bsize ranges
Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.

Cf. from uint.rs:

    DetectUintMode::DetectUintModeRange => {
        if val > x.arg1 && val < x.arg2 {
            return true;
        }
    }

Task #6708
1 year ago
Philippe Antoine b8bc2c7e0f doc: integer keywords
Ticket: 6628

Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
1 year ago
Jason Ish 8bf8131c31 doc: note what version "requires" was added in 2 years ago
jason taylor 3cb7112aa5 detect: update smb.version keyword
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Eloy Pérez González a4901a1f70 smb: add smb.keyword documentation 2 years ago
Lukas Sismis 6e4cc79b39 doc: remove references to prehistoric versions
Remove references that are mentioning Suricata 3 or less
As a note - only one Suricata 4 reference found:
(suricata-yaml.rst:"In 4.1.x")
Fast pattern selection criteria can be internally found by inspecting
SupportFastPatternForSigMatchList and SigTableSetup functions.

Ticket: #6570
2 years ago
Philippe Antoine adf5e6da7b detect: strip_pseudo_headers transform
Ticket: 6546
2 years ago
Philippe Antoine 4933b817aa doc: fix byte_test examples
As this keyword has 4 mandatory arguments, and some examples
had only three...

Ticket: 6629
2 years ago
Jason Ish 5d5b0509a5 requires: add requires keyword
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.

Example:

  requires: feature geoip, version >= 7.0.0, version < 8;
  requires: version >= 7.0.3 < 8
  requires: version >= 7.0.3 < 8 | >= 8.0.3

Feature: #5972

Co-authored-by: Philippe Antoine <pantoine@oisf.net>
2 years ago
Jason Ish c1a8dbcb72 doc/userguide: document dns.query.name, dns.answer.name
With some other minor cleanups in the DNS keyword section.
2 years ago
Shivani Bhardwaj b9540df5ad doc: clarify IP-only with iprep 2 years ago
jason taylor fc81c99b58 doc: add file.name information to smtp keyword doc
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor 9d1ad0187e doc: add file.name information to nfs keyword doc
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor 327ba7397a doc: add file.name information to smb keyword doc
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor e4077b8803 doc: update ftp keyword doc example rule format
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor bb1f7575d3 doc: add file.name information to ftp keyword doc
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor bbc17b1c7d doc: add file.name information to http keyword doc
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Philippe Antoine 32cce122e1 detect: header_lowercase transform
Ticket: 6290
2 years ago
jason taylor c50002978d doc: update file.data keyword documentation
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Sascha Steinbiss 0c55fe3515 detect: add mqtt.connect.protocolstring
Ticket:  OISF#6396
2 years ago
Victor Julien 6b2c33990f doc/userguide: add tag keyword page
Ticket: #3015.
2 years ago
Jeff Lucovsky 9ee55d2394 doc/transform: Document case-changing transforms.
Issue: 6439
2 years ago
Philippe Antoine ab9b6e30b1 detect: adds flow integer keywords
Ticket: #6164

flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
2 years ago
jason taylor 535938d7f6 doc: add tls.cert_chain_len docs
Ticket: #6386

Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Travis Green 96a0e7016f doc: add tcp flags documentation
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor be324d7856 doc: update file.magic information
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor 008cc78a03 doc: update fileext keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor e99b1787a2 doc: update file.name keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Andreas Herz da68692547 doc: dataset - add type to be mandatory 2 years ago
jason taylor c95fce39f0 doc: add multi buffer support note to keyword docs
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor 88960e909d doc: add multiple buffer matching documentation
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Jeff Lucovsky 47e268d609 detect/byte_math: Document bytes variable name
Issue: 6145

Document that byte_math accepts a variable name for bytes (optional)
2 years ago
Jeff Lucovsky 3a4554fc2b detect/byte-jump: Document var usage for nbytes
Issue: 6105
2 years ago
Jeff Lucovsky 73b943276e doc/byte_test: Document byte_test variable usage
Issue: 6144

This commit updates the byte_test documentation now that a variable name
can be used for the nbytes value.
2 years ago
Shivani Bhardwaj b6f8f5eb3b doc/http: use "sticky buffer" where applicable 2 years ago
Jason Ish 14daa42e0b doc/userguide: dataset upgrade notes 2 years ago
Jason Ish 4a97461f9a doc/userguide: notes about Lua rules being disabled by default 2 years ago
Philippe Antoine 415b036dca http1: implement http.request_header
So that it is generic for HTTP1 and HTTP2

Ticket: #5780
2 years ago
Philippe Antoine 7256ec8a6e detect/http2: do not escape ':' in header name or value
for keywords http.request_header and http.response_header

Ticket: #5780
2 years ago
Philippe Antoine 656554f293 http2: rename http2.header to http.request_header
Or http.response_header based on the direction

http2.header had a different behavior than http.header and this was
confusing.

Ticket: #5780
2 years ago
Eloy Pérez González b3c7130749 krb5: update krb5_msg_type keyword docs 2 years ago
Victor Julien 0903536fd6 doc: spelling
Thanks to Josh Soref.
2 years ago
Philippe Antoine 9bd2b72e2b doc: explain where tls.store stores certificates
By adding a reference/link to the doc about the suricata.yaml
config section pecifying the directory where the certificates
are stored
2 years ago
Victor Julien c0d9b3c078 doc/userguide: spelling 2 years ago
Andreas Herz 3045e75ee1 doc: add note on the hashsize recommendation for datasets 2 years ago
Philippe Antoine 59734d16a1 detect: use http.connection to client
Ticket: #5746
2 years ago
Philippe Antoine 6bc7f02e13 doc: rules can have http1 as protocol
Ticket: #5962
2 years ago
Jeff Lucovsky fd46c93a8f doc/byte_math: Add divide by 0 discussion.
Issue: 5945
2 years ago
Jeff Lucovsky 35bbdf4124 doc/content: Add limits for distance/within
Ticket: 5740
2 years ago
Shivani Bhardwaj 0f3e7761da doc: add dataset examples 2 years ago
Haleema Khan 609df1776e userguide: update tls keywords information
Ticket #5544
2 years ago
jason taylor 0632233791 userguide: update http.cookie description
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
Jeff Lucovsky 197ad51138 doc: Update bsize documentation
This commit updates the bsize documentation

1. Describe what happens when "content" immediately precedes "bsize"
2. Include the operators and
3. Include examples using the operators.
3 years ago
jason taylor 9dc8fffe05 userguide: update tos keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 1d9b91a987 userguide: update fragoffset keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 7c73144988 userguide: update fragbits information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 4be9793e36 userguide: update geoip information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor e8eba6e4a1 userguide: update id keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor cfd0da133e userguide: update ipv6.hdr keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 150a04b597 userguide: update ipv4.hdr keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 298f59c2ba userguide: update ip_proto keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 6226492976 userguide: update sameip keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor f97ba44339 userguide: update ipopts keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor 9b4e6e5802 userguide: update ttl keyword information
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago