jason taylor
8ff06c1bc0
doc: update http.content_type keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
b2854486dd
doc: update http.connection keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
75436dff9c
doc: update http.accept_lang keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
f6375e487e
doc: update http.accept_enc keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
7e3288f5a7
doc: update http keyword normalization notes
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
9e87d89d2e
doc: update http.accept keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
8307168ae7
doc: update http.user_agent keyword
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
75c4cdfa1c
doc: update http.cookie keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
7a28874c8d
doc: update http.header keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
b3af723486
doc: remove legacy description/duplicated data
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
292b3eb9b3
doc: update http.request_line keyword information
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
c7f351bd6e
doc: update http.protocol keyword documentation
...
Ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
2d0ceedeba
doc: update urilen keyword documentation
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
ef118aa582
doc: remove legacy uricontent information
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
96e8c10276
doc: update http.uri and http.uri.raw keywords
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
bf192926a8
doc: update http.method keyword
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
0cce5ba447
doc: add http keyword links
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
fd46175203
doc: update http primer information
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
jason taylor
54fd35c5b4
doc: remove legacy tables and image references
...
ticket: 3025
Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago
Hadiqa Alamdar Bukhari
3aa313d0c5
dns: add dns.rcode keyword
...
dns.rcode matches the rcode header field in DNS messages
It's an unsigned integer
valid ranges = [0-15]
Does not support prefilter
Supports matches in both flow directions
Task #6621
1 year ago
Hadiqa Alamdar Bukhari
4b81851097
dns: add dns.rrtype keyword
...
It matches the rrtype field in DNS
It's an unsigned integer match
valid ranges = [0-65535]
Does not support prefilter
Supports flow in both directions
Feature #6666
1 year ago
Philippe Antoine
e22217bda8
doc: there is no right shift for integer bitmasks
...
Ticket: 6628
1 year ago
Philippe Antoine
f6e1a20215
detect: dns.opcode as first-class integer
...
Ticket: 5446
That means it can accept ranges
1 year ago
Juliana Fajardini
244a35d539
userguide: fix explanation about bsize ranges
...
Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.
Cf. from uint.rs:
DetectUintMode::DetectUintModeRange => {
if val > x.arg1 && val < x.arg2 {
return true;
}
}
Task #6708
2 years ago
Philippe Antoine
b8bc2c7e0f
doc: integer keywords
...
Ticket: 6628
Document the generic detection capabilities for integer keywords.
and make every integer keyword pointing to this section.
2 years ago
Jason Ish
8bf8131c31
doc: note what version "requires" was added in
2 years ago
jason taylor
3cb7112aa5
detect: update smb.version keyword
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Eloy Pérez González
a4901a1f70
smb: add smb.keyword documentation
2 years ago
Lukas Sismis
6e4cc79b39
doc: remove references to prehistoric versions
...
Remove references that are mentioning Suricata 3 or less
As a note - only one Suricata 4 reference found:
(suricata-yaml.rst:"In 4.1.x")
Fast pattern selection criteria can be internally found by inspecting
SupportFastPatternForSigMatchList and SigTableSetup functions.
Ticket: #6570
2 years ago
Philippe Antoine
adf5e6da7b
detect: strip_pseudo_headers transform
...
Ticket: 6546
2 years ago
Philippe Antoine
4933b817aa
doc: fix byte_test examples
...
As this keyword has 4 mandatory arguments, and some examples
had only three...
Ticket: 6629
2 years ago
Jason Ish
5d5b0509a5
requires: add requires keyword
...
Add a new rule keyword "requires" that allows a rule to require specific
Suricata versions and/or Suricata features to be enabled.
Example:
requires: feature geoip, version >= 7.0.0, version < 8;
requires: version >= 7.0.3 < 8
requires: version >= 7.0.3 < 8 | >= 8.0.3
Feature: #5972
Co-authored-by: Philippe Antoine <pantoine@oisf.net>
2 years ago
Jason Ish
c1a8dbcb72
doc/userguide: document dns.query.name, dns.answer.name
...
With some other minor cleanups in the DNS keyword section.
2 years ago
Shivani Bhardwaj
b9540df5ad
doc: clarify IP-only with iprep
2 years ago
jason taylor
fc81c99b58
doc: add file.name information to smtp keyword doc
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
9d1ad0187e
doc: add file.name information to nfs keyword doc
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
327ba7397a
doc: add file.name information to smb keyword doc
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
e4077b8803
doc: update ftp keyword doc example rule format
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
bb1f7575d3
doc: add file.name information to ftp keyword doc
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
bbc17b1c7d
doc: add file.name information to http keyword doc
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Philippe Antoine
32cce122e1
detect: header_lowercase transform
...
Ticket: 6290
2 years ago
jason taylor
c50002978d
doc: update file.data keyword documentation
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Sascha Steinbiss
0c55fe3515
detect: add mqtt.connect.protocolstring
...
Ticket: OISF#6396
2 years ago
Victor Julien
6b2c33990f
doc/userguide: add tag keyword page
...
Ticket: #3015 .
2 years ago
Jeff Lucovsky
9ee55d2394
doc/transform: Document case-changing transforms.
...
Issue: 6439
2 years ago
Philippe Antoine
ab9b6e30b1
detect: adds flow integer keywords
...
Ticket: #6164
flow.pkts_toclient
flow.pkts_toserver
flow.bytes_toclient
flow.bytes_toserver
2 years ago
jason taylor
535938d7f6
doc: add tls.cert_chain_len docs
...
Ticket: #6386
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Travis Green
96a0e7016f
doc: add tcp flags documentation
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
be324d7856
doc: update file.magic information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
008cc78a03
doc: update fileext keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
e99b1787a2
doc: update file.name keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Andreas Herz
da68692547
doc: dataset - add type to be mandatory
2 years ago
jason taylor
c95fce39f0
doc: add multi buffer support note to keyword docs
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
jason taylor
88960e909d
doc: add multiple buffer matching documentation
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
2 years ago
Jeff Lucovsky
47e268d609
detect/byte_math: Document bytes variable name
...
Issue: 6145
Document that byte_math accepts a variable name for bytes (optional)
2 years ago
Jeff Lucovsky
3a4554fc2b
detect/byte-jump: Document var usage for nbytes
...
Issue: 6105
2 years ago
Jeff Lucovsky
73b943276e
doc/byte_test: Document byte_test variable usage
...
Issue: 6144
This commit updates the byte_test documentation now that a variable name
can be used for the nbytes value.
2 years ago
Shivani Bhardwaj
b6f8f5eb3b
doc/http: use "sticky buffer" where applicable
2 years ago
Jason Ish
14daa42e0b
doc/userguide: dataset upgrade notes
2 years ago
Jason Ish
4a97461f9a
doc/userguide: notes about Lua rules being disabled by default
2 years ago
Philippe Antoine
415b036dca
http1: implement http.request_header
...
So that it is generic for HTTP1 and HTTP2
Ticket: #5780
2 years ago
Philippe Antoine
7256ec8a6e
detect/http2: do not escape ':' in header name or value
...
for keywords http.request_header and http.response_header
Ticket: #5780
2 years ago
Philippe Antoine
656554f293
http2: rename http2.header to http.request_header
...
Or http.response_header based on the direction
http2.header had a different behavior than http.header and this was
confusing.
Ticket: #5780
2 years ago
Eloy Pérez González
b3c7130749
krb5: update krb5_msg_type keyword docs
2 years ago
Victor Julien
0903536fd6
doc: spelling
...
Thanks to Josh Soref.
2 years ago
Philippe Antoine
9bd2b72e2b
doc: explain where tls.store stores certificates
...
By adding a reference/link to the doc about the suricata.yaml
config section pecifying the directory where the certificates
are stored
2 years ago
Victor Julien
c0d9b3c078
doc/userguide: spelling
2 years ago
Andreas Herz
3045e75ee1
doc: add note on the hashsize recommendation for datasets
2 years ago
Philippe Antoine
59734d16a1
detect: use http.connection to client
...
Ticket: #5746
2 years ago
Philippe Antoine
6bc7f02e13
doc: rules can have http1 as protocol
...
Ticket: #5962
2 years ago
Jeff Lucovsky
fd46c93a8f
doc/byte_math: Add divide by 0 discussion.
...
Issue: 5945
2 years ago
Jeff Lucovsky
35bbdf4124
doc/content: Add limits for distance/within
...
Ticket: 5740
2 years ago
Shivani Bhardwaj
0f3e7761da
doc: add dataset examples
2 years ago
Haleema Khan
609df1776e
userguide: update tls keywords information
...
Ticket #5544
2 years ago
jason taylor
0632233791
userguide: update http.cookie description
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
Jeff Lucovsky
197ad51138
doc: Update bsize documentation
...
This commit updates the bsize documentation
1. Describe what happens when "content" immediately precedes "bsize"
2. Include the operators and
3. Include examples using the operators.
3 years ago
jason taylor
9dc8fffe05
userguide: update tos keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
1d9b91a987
userguide: update fragoffset keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
7c73144988
userguide: update fragbits information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
4be9793e36
userguide: update geoip information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
e8eba6e4a1
userguide: update id keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
cfd0da133e
userguide: update ipv6.hdr keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
150a04b597
userguide: update ipv4.hdr keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
298f59c2ba
userguide: update ip_proto keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
6226492976
userguide: update sameip keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
f97ba44339
userguide: update ipopts keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
jason taylor
9b4e6e5802
userguide: update ttl keyword information
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
3 years ago
Philippe Antoine
ce710181f6
doc: update doc for HTTP file.data to server
...
Ticket: #4144
Completes e587f6792a
3 years ago
Aaron Bungay
d166c48d28
docs: update for bittorrent-dht app-layer
3 years ago
Eric Leblond
9fb0137d9d
doc: add reference to ipaddr in IP matching
3 years ago
Eric Leblond
3bd48d9336
detect: doc link for ip.src and ip.dst
3 years ago
Eric Leblond
da8b16eaeb
doc: add ip.dst and ip.src doc
3 years ago
Eric Leblond
3599cbf1c4
doc: document new dataset types
...
Feature: #5383
3 years ago
Eric Leblond
a1a22cccd2
doc: document dataset-lookup
...
Ticket: #5184
3 years ago
Eric Leblond
20973e9e6b
doc: add dataset-clear command
...
Ticket: #5184
3 years ago
Eric Leblond
c5559cb68f
doc: document dataset-dump command
...
Ticket: #5184
3 years ago
Lukas Sismis
37cf365e19
docs: remove outdated constraint of negation support for ssl_state
...
Commit 487cdda93d
adds negation support for the SSL state.
3 years ago
Shivani Bhardwaj
2a0cb1f3da
doc: update base64_decode notes
3 years ago
Eric Leblond
f46f895e8d
rust/smb: import NT status code for Microsoft doc
...
This patch updates the NT status code definition to use the status
definition used on Microsoft documentation website. A first python
script is building JSON object with code definition.
```
import json
from bs4 import BeautifulSoup
import requests
ntstatus = requests.get('https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 ')
ntstatus_parsed = BeautifulSoup(ntstatus.text, 'html.parser')
ntstatus_parsed = ntstatus_parsed.find('tbody')
ntstatus_dict = {}
for item in ntstatus_parsed.find_all('tr'):
cell = item.find_all('td')
if len(cell) == 0:
continue
code = cell[0].find_all('p')
description_ps = cell[1].find_all('p')
description_list = []
if len(description_ps):
for desc in description_ps:
if not desc.string is None:
description_list.append(desc.string.replace('\n ', ''))
else:
description_list = ['Description not available']
if not code[0].string.lower() in ntstatus_dict:
ntstatus_dict[code[0].string.lower()] = {"text": code[1].string, "desc": ' '.join(description_list)}
print(json.dumps(ntstatus_dict))
```
The second one is generating the code that is ready to be inserted into the
source file:
```
import json
ntstatus_file = open('ntstatus.json', 'r')
ntstatus = json.loads(ntstatus_file.read())
declaration_format = 'pub const SMB_NT%s:%su32 = %s;\n'
resolution_format = ' SMB_NT%s%s=> "%s",\n'
declaration = ""
resolution = ""
text_max = len(max([ntstatus[x]['text'] for x in ntstatus.keys()], key=len))
for code in ntstatus.keys():
text = ntstatus[code]['text']
text_spaces = ' ' * (4 + text_max - len(text))
declaration += declaration_format % (text, text_spaces, code)
resolution += resolution_format % (text, text_spaces, text)
print(declaration)
print('\n')
print('''
pub fn smb_ntstatus_string(c: u32) -> String {
match c {
''')
print(resolution)
print('''
_ => { return (c).to_string(); },
}.to_string()
}
''')
```
Bug #5412 .
3 years ago
Juliana Fajardini
7b0008d4f0
userguide: add section about exception policies
...
This describes briefly what the exception policies are, what is the
engine's behavior, what options are available and to which parts are
they implemented.
Task #5475
Task #5515
3 years ago