userguide: explain rule types and categorization - v4 #12111
Conversation
Add documentation about the rule types introduced by 2696fda. Add doc tags around code definitions that are referenced in the docs. Task #https://redmine.openinfosecfoundation.org/issues/7031
| - 'tcp-stream' in protocol field; simple 'content'; 'byte_extract' | ||
| * - Application Layer Protocol | ||
| - Flow | ||
| - Per-packet basis |
There was a problem hiding this comment.
Is this more correct?
| - Flow | ||
| - Once per direction | ||
| - On the flow, on IP address level (negated addresses) | ||
| - Source/ Destination field of a rule, containing negated address |
There was a problem hiding this comment.
Added this, not sure if good to have or not
| Once parsed, Suricata rules are categorized for performance and further | ||
| processing (as different rule types will be handled by specific engine modules). | ||
| The signature types are defined in `src/detect.h | ||
| <https://github.com/OISF/suricata/blob/master/src/detect.h>`_: |
There was a problem hiding this comment.
removed the line references here, to make this more time resilient
|
|
||
| alert tcp-pkt [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any -> any any (msg:"tcp-pkt, no content"; sid:201;) | ||
|
|
||
| IP Only (negated address) |
There was a problem hiding this comment.
Should it also be contains negated address here, to ensure people are seeing it?
There was a problem hiding this comment.
perhaps another example as well, e.g. [10.0.0.0/8,!10.10.10.10]
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12111 +/- ##
==========================================
+ Coverage 83.23% 83.27% +0.04%
==========================================
Files 906 906
Lines 257647 257647
==========================================
+ Hits 214458 214567 +109
+ Misses 43189 43080 -109
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23303 |
|
New PR incoming to fix clang failure |
| :header-rows: 1 | ||
|
|
||
| * - Type | ||
| - Scope |
| - Flow, if stateful, per-packet if not | ||
| - Against the reassembled stream. If stream unavailable, match per-packet | ||
| (packet payload and stream payload) | ||
| - 'content' with 'starts with' or 'depth' |
There was a problem hiding this comment.
startswith is a keyword w/o space
| - 'tcp-stream' in protocol field; simple 'content'; 'byte_extract' | ||
| * - Application Layer Protocol | ||
| - Flow | ||
| - Per-packet basis |
|
|
||
| alert tcp-pkt [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any -> any any (msg:"tcp-pkt, no content"; sid:201;) | ||
|
|
||
| IP Only (negated address) |
There was a problem hiding this comment.
perhaps another example as well, e.g. [10.0.0.0/8,!10.10.10.10]
|
New version: #12112 |
Add documentation about the rule types introduced by 2696fda.
Add doc tags around code definitions that are referenced in the docs.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
I guess this covers https://redmine.openinfosecfoundation.org/issues/7031
Built docs: https://suri-rtd-test.readthedocs.io/en/doc-sigtypes-et-properties-v4/rules/intro.html#rule-s-types-and-categorization
Previous PR: #12107
Describe changes: (tried to) address feedback:
Scope, and tie explanations to other Table columns as wellSignatureTypeandSignaturePropertiesapp-layer protocolrules are inspected