8. Suricata Rules

• 8.1. Rules Format
  • 8.1.1. Action
  • 8.1.2. Protocol
    • 8.1.2.1. Matching on non-IP packets
    • 8.1.2.2. Explicit rule hooks
  • 8.1.3. Source and destination
  • 8.1.4. Ports (source and destination)
  • 8.1.5. Direction
    • 8.1.5.1. Transactional rules
  • 8.1.6. Rule options
    • 8.1.6.1. Disabling Alerts
    • 8.1.6.2. Modifier Keywords
    • 8.1.6.3. Normalized Buffers
• 8.2. Meta Keywords
  • 8.2.1. msg (message)
  • 8.2.2. sid (signature ID)
    • 8.2.2.1. Suricata Engine Events Rules SID range
  • 8.2.3. rev (revision)
  • 8.2.4. gid (group ID)
  • 8.2.5. classtype
  • 8.2.6. reference
  • 8.2.7. priority
  • 8.2.8. metadata
  • 8.2.9. target
  • 8.2.10. requires
• 8.3. Ethernet Keywords
  • 8.3.1. ether.hdr
• 8.4. IP Keywords
  • 8.4.1. ttl
  • 8.4.2. ipopts
  • 8.4.3. sameip
  • 8.4.4. ip_proto
  • 8.4.5. ipv4.hdr
  • 8.4.6. ipv6.hdr
  • 8.4.7. id
  • 8.4.8. geoip
  • 8.4.9. fragbits (IP fragmentation)
  • 8.4.10. fragoffset
  • 8.4.11. tos
• 8.5. TCP keywords
  • 8.5.1. tcp.flags
  • 8.5.2. seq
  • 8.5.3. ack
  • 8.5.4. window
  • 8.5.5. tcp.mss
  • 8.5.6. tcp.wscale
  • 8.5.7. tcp.hdr
• 8.6. UDP keywords
  • 8.6.1. udp.hdr
• 8.7. ICMP keywords
  • 8.7.1. itype
  • 8.7.2. icode
  • 8.7.3. icmp_id
  • 8.7.4. icmp_seq
  • 8.7.5. icmpv4.hdr
  • 8.7.6. icmpv6.hdr
  • 8.7.7. icmpv6.mtu
• 8.8. IGMP keywords
  • 8.8.1. igmp.hdr
  • 8.8.2. igmp.type
  • 8.8.3. igmp-csum
• 8.9. Payload Keywords
  • 8.9.1. content
  • 8.9.2. nocase
  • 8.9.3. depth
  • 8.9.4. startswith
  • 8.9.5. endswith
  • 8.9.6. offset
  • 8.9.7. distance
  • 8.9.8. within
  • 8.9.9. rawbytes
  • 8.9.10. isdataat
    • 8.9.10.1. absolute vs relative values
  • 8.9.11. absent
  • 8.9.12. bsize
  • 8.9.13. dsize
  • 8.9.14. byte_test
  • 8.9.15. byte_math
  • 8.9.16. byte_jump
  • 8.9.17. byte_extract
  • 8.9.18. entropy
    • 8.9.18.1. Logging
  • 8.9.19. rpc
  • 8.9.20. replace
  • 8.9.21. pcre (Perl Compatible Regular Expressions)
    • 8.9.21.1. PCRE extraction
    • 8.9.21.2. Suricata's modifiers
    • 8.9.21.3. Changes from PCRE1 to PCRE2
• 8.10. Integer Keywords
  • 8.10.1. Comparison modes
  • 8.10.2. Enumerations
  • 8.10.3. Bitmasks
  • 8.10.4. Multi-integers
  • 8.10.5. Count
• 8.11. Transformations
  • 8.11.1. dotprefix
  • 8.11.2. domain
  • 8.11.3. tld
  • 8.11.4. strip_whitespace
  • 8.11.5. compress_whitespace
  • 8.11.6. to_lowercase
  • 8.11.7. to_md5
  • 8.11.8. to_uppercase
  • 8.11.9. to_sha1
  • 8.11.10. to_sha256
  • 8.11.11. pcrexform
  • 8.11.12. url_decode
  • 8.11.13. xor
  • 8.11.14. header_lowercase
  • 8.11.15. strip_pseudo_headers
  • 8.11.16. from_base64
  • 8.11.17. luaxform
  • 8.11.18. gunzip
  • 8.11.19. zlib_deflate
  • 8.11.20. subslice
    • 8.11.20.1. Usage
    • 8.11.20.2. Examples
    • 8.11.20.3. Summary of Truncate Behavior: Edge Cases
    • 8.11.20.4. Truncation Behavior
    • 8.11.20.5. Negative Offset Handling
    • 8.11.20.6. Full Rule Examples
• 8.12. Prefiltering Keywords
  • 8.12.1. fast_pattern
    • 8.12.1.1. Suricata Fast Pattern Determination Explained
      • 8.12.1.1.1. Appendices
        • 8.12.1.1.1.1. Appendix A - Pattern Strength Algorithm
    • 8.12.1.2. fast_pattern:only
    • 8.12.1.3. fast_pattern:'chop'
  • 8.12.2. prefilter
• 8.13. Flow Keywords
  • 8.13.1. flowbits
  • 8.13.2. flow
  • 8.13.3. flowint
  • 8.13.4. stream_size
  • 8.13.5. flow.age
  • 8.13.6. flow.pkts
  • 8.13.7. flow.bytes
  • 8.13.8. flow.elephant
• 8.14. Bypass Keyword
  • 8.14.1. bypass
• 8.15. HTTP Keywords
  • 8.15.1. HTTP Primer
  • 8.15.2. Normalization
    • 8.15.2.1. Duplicate Header Names
  • 8.15.3. file.name
  • 8.15.4. http.accept
  • 8.15.5. http.accept_enc
  • 8.15.6. http.accept_lang
  • 8.15.7. http.host
  • 8.15.8. http.host.raw
  • 8.15.9. http.method
  • 8.15.10. http.referer
  • 8.15.11. http.request_body
  • 8.15.12. http.request_header
  • 8.15.13. http.request_line
  • 8.15.14. http.uri
  • 8.15.15. http.uri.raw
  • 8.15.16. http.user_agent
  • 8.15.17. urilen
  • 8.15.18. http.location
  • 8.15.19. http.response_body
  • 8.15.20. http.response_header
  • 8.15.21. http.response_line
  • 8.15.22. http.server
  • 8.15.23. http.stat_code
  • 8.15.24. http.stat_msg
  • 8.15.25. file.data
  • 8.15.26. http.connection
  • 8.15.27. http.content_len
  • 8.15.28. http.content_type
  • 8.15.29. http.cookie
  • 8.15.30. http.header
  • 8.15.31. http.header.raw
  • 8.15.32. http.header_names
  • 8.15.33. http.protocol
  • 8.15.34. http.start
• 8.16. File Keywords
  • 8.16.1. file.data
  • 8.16.2. file.name
  • 8.16.3. fileext
  • 8.16.4. file.magic
  • 8.16.5. filestore
  • 8.16.6. filemd5
  • 8.16.7. filesha1
  • 8.16.8. filesha256
  • 8.16.9. filesize
• 8.17. DNS Keywords
  • 8.17.1. dns.opcode
    • 8.17.1.1. Syntax
    • 8.17.1.2. Examples
  • 8.17.2. dns.rcode
    • 8.17.2.1. Syntax
    • 8.17.2.2. Examples
  • 8.17.3. dns.rrtype
    • 8.17.3.1. Syntax
    • 8.17.3.2. Examples
  • 8.17.4. dns.query
    • 8.17.4.1. Normalized Buffer
  • 8.17.5. dns.queries.rrname
  • 8.17.6. dns.answers.rrname
  • 8.17.7. dns.authorities.rrname
  • 8.17.8. dns.additionals.rrname
  • 8.17.9. dns.response.rrname
• 8.18. mDNS Keywords
  • 8.18.1. mdns.queries.rrname
  • 8.18.2. mdns.answers.rrname
  • 8.18.3. mdns.authorities.rrname
  • 8.18.4. mdns.additionals.rrname
  • 8.18.5. mdns.response.rrname
• 8.19. LLMNR Keywords
  • 8.19.1. llmnr.queries.rrname
  • 8.19.2. llmnr.answers.rrname
  • 8.19.3. llmnr.authorities.rrname
  • 8.19.4. llmnr.additionals.rrname
  • 8.19.5. llmnr.response.rrname
• 8.20. SSL/TLS Keywords
  • 8.20.1. tls.cert_subject
    • 8.20.1.1. tls.subject
  • 8.20.2. tls.cert_issuer
    • 8.20.2.1. tls.issuerdn
  • 8.20.3. tls.cert_serial
  • 8.20.4. tls.cert_fingerprint
  • 8.20.5. tls.sni
  • 8.20.6. tls.subjectaltname
  • 8.20.7. tls_cert_notbefore
  • 8.20.8. tls_cert_notafter
  • 8.20.9. tls_cert_expired
  • 8.20.10. tls_cert_valid
  • 8.20.11. tls.certs
  • 8.20.12. tls.version
  • 8.20.13. ssl_version
  • 8.20.14. tls.fingerprint
  • 8.20.15. tls.store
  • 8.20.16. ssl_state
  • 8.20.17. tls.random
  • 8.20.18. tls.random_time
  • 8.20.19. tls.random_bytes
  • 8.20.20. tls.cert_chain_len
  • 8.20.21. tls.alpn
• 8.21. SSH Keywords
  • 8.21.1. Hooks
  • 8.21.2. Frames
  • 8.21.3. ssh.proto
  • 8.21.4. ssh.software
  • 8.21.5. ssh.hassh
  • 8.21.6. ssh.hassh.string
  • 8.21.7. ssh.hassh.server
  • 8.21.8. ssh.hassh.server.string
• 8.22. JA3/JA4 Keywords
  • 8.22.1. ja3.hash
  • 8.22.2. ja3.string
  • 8.22.3. ja3s.hash
  • 8.22.4. ja3s.string
  • 8.22.5. ja4.hash
• 8.23. Modbus Keyword
• 8.24. DCERPC Keywords
  • 8.24.1. dcerpc.iface
  • 8.24.2. dcerpc.opnum
  • 8.24.3. dcerpc.stub_data
  • 8.24.4. Additional information
• 8.25. DHCP keywords
  • 8.25.1. dhcp.leasetime
  • 8.25.2. dhcp.rebinding_time
  • 8.25.3. dhcp.renewal_time
• 8.26. DNP3 Keywords
  • 8.26.1. dnp3_func
    • 8.26.1.1. Syntax
  • 8.26.2. dnp3_ind
    • 8.26.2.1. Syntax
    • 8.26.2.2. Examples
  • 8.26.3. dnp3_obj
    • 8.26.3.1. Syntax
  • 8.26.4. dnp3_data
    • 8.26.4.1. Syntax
    • 8.26.4.2. Example
• 8.27. ENIP/CIP Keywords
  • 8.27.1. enip_command
  • 8.27.2. cip_service
  • 8.27.3. enip.status
  • 8.27.4. enip.protocol_version
  • 8.27.5. enip.cip_attribute
  • 8.27.6. enip.cip_instance
  • 8.27.7. enip.cip_class
  • 8.27.8. enip.cip_extendedstatus
  • 8.27.9. enip.revision
  • 8.27.10. enip.identity_status
  • 8.27.11. enip.state
  • 8.27.12. enip.serial
  • 8.27.13. enip.product_code
  • 8.27.14. enip.device_type
  • 8.27.15. enip.vendor_id
  • 8.27.16. enip.product_name
  • 8.27.17. enip.service_name
  • 8.27.18. enip.capabilities
  • 8.27.19. enip.cip_status
• 8.28. FTP/FTP-DATA Keywords
  • 8.28.1. ftpdata_command
  • 8.28.2. ftpbounce
  • 8.28.3. file.name
  • 8.28.4. ftp.command
  • 8.28.5. ftp.command_data
  • 8.28.6. ftp.completion_code
  • 8.28.7. ftp.dynamic_port
  • 8.28.8. ftp.mode
  • 8.28.9. ftp.reply
  • 8.28.10. ftp.reply_received
• 8.29. Kerberos Keywords
  • 8.29.1. krb5_msg_type
  • 8.29.2. krb5_cname
  • 8.29.3. krb5_sname
  • 8.29.4. krb5_err_code
  • 8.29.5. krb5.weak_encryption (event)
  • 8.29.6. krb5.malformed_data (event)
  • 8.29.7. krb5.ticket_encryption
• 8.30. SMB Keywords
  • 8.30.1. smb.named_pipe
  • 8.30.2. smb.share
  • 8.30.3. smb.ntlmssp_user
  • 8.30.4. smb.ntlmssp_domain
  • 8.30.5. smb.version
    • 8.30.5.1. Matching in transition from SMBv1 to SMBv2
    • 8.30.5.2. Will smb.version match SMBv3 traffic?
  • 8.30.6. file.name
• 8.31. SNMP keywords
  • 8.31.1. snmp.version
  • 8.31.2. snmp.community
  • 8.31.3. snmp.usm
  • 8.31.4. snmp.pdu_type
  • 8.31.5. snmp.trap_type
• 8.32. NTP Keywords
  • 8.32.1. ntp.mode
  • 8.32.2. ntp.reference_id
  • 8.32.3. ntp.stratum
  • 8.32.4. ntp.version
• 8.33. Base64 keywords
  • 8.33.1. base64_decode
  • 8.33.2. base64_data
  • 8.33.3. Example
• 8.34. SIP Keywords
  • 8.34.1. sip.method
    • 8.34.1.1. Syntax
    • 8.34.1.2. Examples
  • 8.34.2. sip.uri
    • 8.34.2.1. Syntax
    • 8.34.2.2. Examples
  • 8.34.3. sip.request_line
    • 8.34.3.1. Syntax
    • 8.34.3.2. Examples
  • 8.34.4. sip.stat_code
    • 8.34.4.1. Syntax
    • 8.34.4.2. Examples
  • 8.34.5. sip.stat_msg
    • 8.34.5.1. Syntax
    • 8.34.5.2. Examples
  • 8.34.6. sip.response_line
    • 8.34.6.1. Syntax
    • 8.34.6.2. Examples
  • 8.34.7. sip.protocol
    • 8.34.7.1. Syntax
    • 8.34.7.2. Example
  • 8.34.8. sip.from
    • 8.34.8.1. Syntax
    • 8.34.8.2. Example
  • 8.34.9. sip.to
    • 8.34.9.1. Syntax
    • 8.34.9.2. Example
  • 8.34.10. sip.via
    • 8.34.10.1. Syntax
    • 8.34.10.2. Example
  • 8.34.11. sip.user_agent
    • 8.34.11.1. Syntax
    • 8.34.11.2. Example
  • 8.34.12. sip.content_type
    • 8.34.12.1. Syntax
    • 8.34.12.2. Example
  • 8.34.13. sip.content_length
    • 8.34.13.1. Syntax
    • 8.34.13.2. Example
• 8.35. SDP Keywords
  • 8.35.1. sdp.origin
    • 8.35.1.1. Syntax
    • 8.35.1.2. Examples
  • 8.35.2. sdp.session_name
    • 8.35.2.1. Syntax
    • 8.35.2.2. Examples
  • 8.35.3. sdp.session_info
    • 8.35.3.1. Syntax
    • 8.35.3.2. Examples
  • 8.35.4. sdp.uri
    • 8.35.4.1. Syntax
    • 8.35.4.2. Examples
  • 8.35.5. sdp.email
    • 8.35.5.1. Syntax
    • 8.35.5.2. Examples
  • 8.35.6. sdp.phone_number
    • 8.35.6.1. Syntax
    • 8.35.6.2. Examples
  • 8.35.7. sdp.connection_data
    • 8.35.7.1. Syntax
    • 8.35.7.2. Examples
  • 8.35.8. sdp.bandwidth
    • 8.35.8.1. Syntax
    • 8.35.8.2. Example
  • 8.35.9. sdp.time
    • 8.35.9.1. Syntax
    • 8.35.9.2. Example
  • 8.35.10. sdp.repeat_time
    • 8.35.10.1. Syntax
    • 8.35.10.2. Example
  • 8.35.11. sdp.timezone
    • 8.35.11.1. Syntax
    • 8.35.11.2. Example
  • 8.35.12. sdp.encryption_key
    • 8.35.12.1. Syntax
    • 8.35.12.2. Example
  • 8.35.13. sdp.attribute
    • 8.35.13.1. Syntax
    • 8.35.13.2. Example
  • 8.35.14. sdp.media.media
    • 8.35.14.1. Syntax
    • 8.35.14.2. Example
  • 8.35.15. sdp.media.session_info
    • 8.35.15.1. Syntax
    • 8.35.15.2. Example
  • 8.35.16. sdp.media.connection_data
    • 8.35.16.1. Syntax
    • 8.35.16.2. Example
  • 8.35.17. sdp.media.encryption_key
    • 8.35.17.1. Syntax
    • 8.35.17.2. Example
• 8.36. SCTP Keywords
  • 8.36.1. sctp.hdr
  • 8.36.2. sctp.chunk_data
  • 8.36.3. sctp.vtag
  • 8.36.4. sctp.chunk_type
  • 8.36.5. sctp.chunk_cnt
• 8.37. RFB Keywords
  • 8.37.1. rfb.name
  • 8.37.2. rfb.secresult
  • 8.37.3. rfb.sectype
  • 8.37.4. Additional information
• 8.38. MQTT Keywords
  • 8.38.1. mqtt.protocol_version
  • 8.38.2. mqtt.type
  • 8.38.3. mqtt.flags
  • 8.38.4. mqtt.qos
  • 8.38.5. mqtt.reason_code
  • 8.38.6. mqtt.connack.session_present
  • 8.38.7. mqtt.connect.clientid
  • 8.38.8. mqtt.connect.flags
  • 8.38.9. mqtt.connect.password
  • 8.38.10. mqtt.connect.protocol_string
  • 8.38.11. mqtt.connect.username
  • 8.38.12. mqtt.connect.willmessage
  • 8.38.13. mqtt.connect.willtopic
  • 8.38.14. mqtt.publish.message
  • 8.38.15. mqtt.publish.topic
  • 8.38.16. mqtt.subscribe.topic
  • 8.38.17. mqtt.unsubscribe.topic
  • 8.38.18. Additional information
• 8.39. IKE Keywords
  • 8.39.1. ike.init_spi, ike.resp_spi
  • 8.39.2. ike.chosen_sa_attribute
  • 8.39.3. ike.exchtype
  • 8.39.4. ike.vendor
  • 8.39.5. ike.key_exchange_payload
  • 8.39.6. ike.key_exchange_payload_length
  • 8.39.7. ike.nonce_payload
  • 8.39.8. ike.nonce_payload_length
  • 8.39.9. Additional information
• 8.40. HTTP2 Keywords
  • 8.40.1. Frames
  • 8.40.2. http2.frametype
  • 8.40.3. http2.errorcode
  • 8.40.4. http2.priority
  • 8.40.5. http2.window
  • 8.40.6. http2.size_update
  • 8.40.7. http2.settings
  • 8.40.8. http2.header_name
  • 8.40.9. Additional information
• 8.41. Quic Keywords
  • 8.41.1. quic.cyu.hash
  • 8.41.2. quic.cyu.string
  • 8.41.3. quic.version
  • 8.41.4. Additional information
• 8.42. NFS Keywords
  • 8.42.1. file.name
  • 8.42.2. nfs_procedure
• 8.43. SMTP Keywords
  • 8.43.1. file.name
  • 8.43.2. smtp.helo
  • 8.43.3. smtp.mail_from
  • 8.43.4. smtp.rcpt_to
  • 8.43.5. Frames
    • 8.43.5.1. smtp.command_line
    • 8.43.5.2. smtp.response_line
    • 8.43.5.3. smtp.data
    • 8.43.5.4. smtp.stream
• 8.44. WebSocket Keywords
  • 8.44.1. websocket.payload
  • 8.44.2. websocket.flags
  • 8.44.3. websocket.mask
  • 8.44.4. websocket.opcode
• 8.45. Generic App Layer Keywords
  • 8.45.1. app-layer-protocol
    • 8.45.1.1. Bail out conditions
  • 8.45.2. app-layer-event
    • 8.45.2.1. Protocol Detection
      • 8.45.2.1.1. applayer_mismatch_protocol_both_directions
      • 8.45.2.1.2. applayer_wrong_direction_first_data
      • 8.45.2.1.3. applayer_detect_protocol_only_one_direction
      • 8.45.2.1.4. applayer_proto_detection_skipped
  • 8.45.3. app-layer-state
• 8.46. Generic Decode Layer Keywords
  • 8.46.1. decode-event
    • 8.46.1.1. Decode Events
      • 8.46.1.1.1. ethernet.unknown_ethertype
• 8.47. Xbits Keyword
  • 8.47.1. Transaction support (tx)
  • 8.47.2. Notes
    • 8.47.2.1. YAML settings
    • 8.47.2.2. Threading
    • 8.47.2.3. Unix Socket
    • 8.47.2.4. Examples
      • 8.47.2.4.1. Creating a SSH blacklist
• 8.48. Alert Keywords
  • 8.48.1. noalert
  • 8.48.2. alert
• 8.49. Thresholding Keywords
  • 8.49.1. threshold
    • 8.49.1.1. type "threshold"
    • 8.49.1.2. type "limit"
    • 8.49.1.3. type "both"
    • 8.49.1.4. type "backoff"
    • 8.49.1.5. track
  • 8.49.2. detection_filter
• 8.50. IP Reputation Keyword
  • 8.50.1. iprep
    • 8.50.1.1. isset and isnotset
    • 8.50.1.2. Compatibility with IP-only
• 8.51. IP Addresses Match
  • 8.51.1. ip.src
  • 8.51.2. ip.dst
• 8.52. Config Rules
  • 8.52.1. Keyword
  • 8.52.2. Action
• 8.53. Datasets
  • 8.53.1. Global config (optional)
  • 8.53.2. Rule keywords
    • 8.53.2.1. dataset
    • 8.53.2.2. datarep
    • 8.53.2.3. dataset with JSON
  • 8.53.3. Rule Reloads
  • 8.53.4. Unix Socket
    • 8.53.4.1. dataset-add
    • 8.53.4.2. dataset-remove
    • 8.53.4.3. dataset-clear
    • 8.53.4.4. dataset-lookup
    • 8.53.4.5. dataset-dump
    • 8.53.4.6. dataset-add-json
  • 8.53.5. File formats
    • 8.53.5.1. data types
    • 8.53.5.2. dataset
    • 8.53.5.3. datarep
    • 8.53.5.4. dataset with JSON enrichment
  • 8.53.6. File Locations
  • 8.53.7. Security
• 8.54. Lua Scripting for Detection
  • 8.54.1. Lua Rule Keyword
    • 8.54.1.1. Init function
    • 8.54.1.2. Match function
  • 8.54.2. Lua Transform: luaxform
  • 8.54.3. Lua Sandbox and Available functions
• 8.55. Differences From Snort
  • 8.55.1. Automatic Protocol Detection
  • 8.55.2. urilen Keyword
  • 8.55.3. http_uri Buffer
  • 8.55.4. http_header Buffer
  • 8.55.5. http_cookie Buffer
  • 8.55.6. New HTTP keywords
  • 8.55.7. byte_extract Keyword
  • 8.55.8. byte_jump Keyword
  • 8.55.9. byte_math Keyword
  • 8.55.10. byte_test Keyword
  • 8.55.11. isdataat Keyword
  • 8.55.12. Relative PCRE
  • 8.55.13. tls* Keywords
  • 8.55.14. dns_query Keyword
  • 8.55.15. IP Reputation and iprep Keyword
  • 8.55.16. Flowbits
  • 8.55.17. flowbits:noalert;
  • 8.55.18. Negated Content Match Special Case
  • 8.55.19. File Extraction
  • 8.55.20. Lua Scripting
  • 8.55.21. Fast Pattern
  • 8.55.22. Don't Cross The Streams
  • 8.55.23. Alerts
  • 8.55.24. Buffer Reference Chart
• 8.56. Multiple Buffer Matching
• 8.57. Tag
  • 8.57.1. Syntax
  • 8.57.2. Examples
  • 8.57.3. How to Use Tags
    • 8.57.3.1. EVE
    • 8.57.3.2. Conditional PCAP Logging
  • 8.57.4. Tracking by Host/Flow
• 8.58. VLAN Keywords
  • 8.58.1. vlan.id
    • 8.58.1.1. Examples
  • 8.58.2. vlan.layers
    • 8.58.2.1. Examples
• 8.59. LDAP Keywords
  • 8.59.1. LDAP Request and Response operations
  • 8.59.2. ldap.request.operation
    • 8.59.2.1. Examples
  • 8.59.3. ldap.responses.operation
    • 8.59.3.1. Examples
  • 8.59.4. ldap.responses.count
    • 8.59.4.1. Examples
  • 8.59.5. ldap.request.dn
    • 8.59.5.1. Example
  • 8.59.6. ldap.responses.dn
    • 8.59.6.1. Example
  • 8.59.7. ldap.responses.result_code
    • 8.59.7.1. Examples
  • 8.59.8. ldap.responses.message
    • 8.59.8.1. Example
  • 8.59.9. ldap.request.attribute_type
    • 8.59.9.1. Example
  • 8.59.10. ldap.responses.attribute_type
    • 8.59.10.1. Example
• 8.60. PGSQL Keywords
  • 8.60.1. pgsql.query
    • 8.60.1.1. Examples
• 8.61. Email Keywords
  • 8.61.1. email.from
    • 8.61.1.1. Example
  • 8.61.2. email.subject
    • 8.61.2.1. Example
  • 8.61.3. email.to
    • 8.61.3.1. Example
  • 8.61.4. email.cc
    • 8.61.4.1. Example
  • 8.61.5. email.date
    • 8.61.5.1. Example
  • 8.61.6. email.message_id
    • 8.61.6.1. Example
  • 8.61.7. email.x_mailer
    • 8.61.7.1. Example
  • 8.61.8. email.url
    • 8.61.8.1. Example
  • 8.61.9. email.received
    • 8.61.9.1. Example
  • 8.61.10. email.body_md5
    • 8.61.10.1. Example
• 8.62. Rule Types and Categorization
  • 8.62.1. Signature Properties
    • 8.62.1.1. Signature: Require Real Packet
  • 8.62.2. Signature Types and Variable-like Keywords
    • 8.62.2.1. Flowbits: isset
  • 8.62.3. Signatures per Type
    • 8.62.3.1. Decoder Events Only
      • 8.62.3.1.1. Example
      • 8.62.3.1.2. Engine-Analysis Report
    • 8.62.3.2. Packet
      • 8.62.3.2.1. Examples
      • 8.62.3.2.2. Engine-Analysis Report
    • 8.62.3.3. IP Only
      • 8.62.3.3.1. Examples
      • 8.62.3.3.2. Engine-Analysis Report
    • 8.62.3.4. IP Only (contains negated address)
      • 8.62.3.4.1. Examples
      • 8.62.3.4.2. Engine-Analysis Report
    • 8.62.3.5. Protocol Detection Only
      • 8.62.3.5.1. Examples
      • 8.62.3.5.2. Engine-Analysis Report
    • 8.62.3.6. Packet-Stream
      • 8.62.3.6.1. Examples
      • 8.62.3.6.2. Engine-Analysis Report
    • 8.62.3.7. Stream
      • 8.62.3.7.1. Examples
      • 8.62.3.7.2. Engine-Analysis Report
    • 8.62.3.8. Application Layer Protocol
      • 8.62.3.8.1. Examples
      • 8.62.3.8.2. Engine-Analysis Report
    • 8.62.3.9. Application Layer Protocol Transactions
      • 8.62.3.9.1. Examples
      • 8.62.3.9.2. Engine-Analysis Report
  • 8.62.4. Detailed Flowcharts
    • 8.62.4.1. IP Only and IP Only with negated addresses
    • 8.62.4.2. Protocol Detection Only
    • 8.62.4.3. Application Layer Protocol, Transaction, Packet, Stream and Stream-Packet rules
• 8.63. Rule Processing
  • 8.63.1. Overview
  • 8.63.2. Rule Prioritization
  • 8.63.3. Inspection Process
  • 8.63.4. Considerations on Inspection Steps
    • 8.63.4.1. IP Only rules
    • 8.63.4.2. Application layer protocol transactions
  • 8.63.5. Implications
    • 8.63.5.1. Action precedence and interaction with ip-only rules
    • 8.63.5.2. Alerts not seen