8. Suricata RulesΒΆ
- 8.1. Rules Format
- 8.2. Meta Keywords
- 8.3. IP Keywords
- 8.4. TCP keywords
- 8.5. UDP keywords
- 8.6. ICMP keywords
- 8.7. Payload Keywords
- 8.7.1. content
- 8.7.2. nocase
- 8.7.3. depth
- 8.7.4. startswith
- 8.7.5. endswith
- 8.7.6. offset
- 8.7.7. distance
- 8.7.8. within
- 8.7.9. rawbytes
- 8.7.10. isdataat
- 8.7.11. bsize
- 8.7.12. dsize
- 8.7.13. byte_test
- 8.7.14. byte_math
- 8.7.15. byte_jump
- 8.7.16. byte_extract
- 8.7.17. rpc
- 8.7.18. replace
- 8.7.19. pcre (Perl Compatible Regular Expressions)
- 8.8. Changes from PCRE1 to PCRE2
- 8.9. Transformations
- 8.10. Prefiltering Keywords
- 8.11. Flow Keywords
- 8.12. Bypass Keyword
- 8.13. HTTP Keywords
- 8.13.1. HTTP Primer
- 8.13.2. http.method
- 8.13.3. http.uri and http.uri.raw
- 8.13.4. uricontent
- 8.13.5. urilen
- 8.13.6. http.protocol
- 8.13.7. http.request_line
- 8.13.8. http.header and http.header.raw
- 8.13.9. http.cookie
- 8.13.10. http.user_agent
- 8.13.11. http.accept
- 8.13.12. http.accept_enc
- 8.13.13. http.accept_lang
- 8.13.14. http.connection
- 8.13.15. http.content_type
- 8.13.16. http.content_len
- 8.13.17. http.referer
- 8.13.18. http.start
- 8.13.19. http.header_names
- 8.13.20. http.request_body
- 8.13.21. http.stat_code
- 8.13.22. http.stat_msg
- 8.13.23. http.response_line
- 8.13.24. http.response_body
- 8.13.25. http.server
- 8.13.26. http.location
- 8.13.27. http.host and http.host.raw
- 8.13.28. http.request_header
- 8.13.29. http.response_header
- 8.13.30. file.data
- 8.14. File Keywords
- 8.15. DNS Keywords
- 8.16. SSL/TLS Keywords
- 8.16.1. tls.cert_subject
- 8.16.2. tls.cert_issuer
- 8.16.3. tls.cert_serial
- 8.16.4. tls.cert_fingerprint
- 8.16.5. tls.sni
- 8.16.6. tls_cert_notbefore
- 8.16.7. tls_cert_notafter
- 8.16.8. tls_cert_expired
- 8.16.9. tls_cert_valid
- 8.16.10. tls.certs
- 8.16.11. tls.version
- 8.16.12. ssl_version
- 8.16.13. tls.fingerprint
- 8.16.14. tls.store
- 8.16.15. ssl_state
- 8.16.16. tls.random
- 8.16.17. tls.random_time
- 8.16.18. tls.random_bytes
- 8.17. SSH Keywords
- 8.18. JA3 Keywords
- 8.19. Modbus Keyword
- 8.20. DCERPC Keywords
- 8.21. DHCP keywords
- 8.22. DNP3 Keywords
- 8.23. ENIP/CIP Keywords
- 8.24. FTP/FTP-DATA Keywords
- 8.25. Kerberos Keywords
- 8.26. SMB Keywords
- 8.27. SNMP keywords
- 8.28. Base64 keywords
- 8.29. SIP Keywords
- 8.30. RFB Keywords
- 8.31. MQTT Keywords
- 8.31.1. mqtt.protocol_version
- 8.31.2. mqtt.type
- 8.31.3. mqtt.flags
- 8.31.4. mqtt.qos
- 8.31.5. mqtt.reason_code
- 8.31.6. mqtt.connack.session_present
- 8.31.7. mqtt.connect.clientid
- 8.31.8. mqtt.connect.flags
- 8.31.9. mqtt.connect.password
- 8.31.10. mqtt.connect.username
- 8.31.11. mqtt.connect.willmessage
- 8.31.12. mqtt.connect.willtopic
- 8.31.13. mqtt.publish.message
- 8.31.14. mqtt.publish.topic
- 8.31.15. mqtt.subscribe.topic
- 8.31.16. mqtt.unsubscribe.topic
- 8.31.17. Additional information
- 8.32. IKE Keywords
- 8.33. HTTP2 Keywords
- 8.34. Quic Keywords
- 8.35. Generic App Layer Keywords
- 8.36. Xbits Keyword
- 8.37. Thresholding Keywords
- 8.38. IP Reputation Keyword
- 8.39. IP Addresses Match
- 8.40. Config Rules
- 8.41. Datasets
- 8.42. Lua Scripting for Detection
- 8.43. Differences From Snort
- 8.43.1. Automatic Protocol Detection
- 8.43.2.
urilenKeyword - 8.43.3.
http_uriBuffer - 8.43.4.
http_headerBuffer - 8.43.5.
http_cookieBuffer - 8.43.6. New HTTP keywords
- 8.43.7.
byte_extractKeyword - 8.43.8.
byte_jumpKeyword - 8.43.9.
byte_mathKeyword - 8.43.10.
byte_testKeyword - 8.43.11.
isdataatKeyword - 8.43.12. Relative PCRE
- 8.43.13.
tls*Keywords - 8.43.14.
dns_queryKeyword - 8.43.15. IP Reputation and
iprepKeyword - 8.43.16. Flowbits
- 8.43.17. flowbits:noalert;
- 8.43.18. Negated Content Match Special Case
- 8.43.19. File Extraction
- 8.43.20. Lua Scripting
- 8.43.21. Fast Pattern
- 8.43.22. Don't Cross The Streams
- 8.43.23. Alerts
- 8.43.24. Buffer Reference Chart
- 8.44. Multiple Buffer Matching