6. Suricata Rules¶

6.1. Rules Format
- 6.1.1. Action
- 6.1.2. Protocol
- 6.1.3. Source and destination
- 6.1.4. Ports (source and destination)
- 6.1.5. Direction
- 6.1.6. Rule options
  - 6.1.6.1. Modifier Keywords
  - 6.1.6.2. Normalized Buffers
6.2. Meta Keywords
- 6.2.1. msg (message)
- 6.2.2. sid (signature ID)
- 6.2.3. rev (revision)
- 6.2.4. gid (group ID)
- 6.2.5. classtype
- 6.2.6. reference
- 6.2.7. priority
- 6.2.8. metadata
- 6.2.9. target
6.3. IP Keywords
- 6.3.1. ttl
- 6.3.2. ipopts
- 6.3.3. sameip
- 6.3.4. ip_proto
- 6.3.5. ipv4.hdr
- 6.3.6. ipv6.hdr
- 6.3.7. id
- 6.3.8. geoip
- 6.3.9. fragbits (IP fragmentation)
- 6.3.10. fragoffset
- 6.3.11. tos
6.4. TCP keywords
- 6.4.1. seq
- 6.4.2. ack
- 6.4.3. window
- 6.4.4. tcp.mss
- 6.4.5. tcp.hdr
6.5. UDP keywords
- 6.5.1. udp.hdr
6.6. ICMP keywords
- 6.6.1. itype
- 6.6.2. icode
- 6.6.3. icmp_id
- 6.6.4. icmp_seq
- 6.6.5. icmpv4.hdr
- 6.6.6. icmpv6.hdr
- 6.6.7. icmpv6.mtu
6.7. Payload Keywords
- 6.7.1. content
- 6.7.2. nocase
- 6.7.3. depth
- 6.7.4. startswith
- 6.7.5. endswith
- 6.7.6. offset
- 6.7.7. distance
- 6.7.8. within
- 6.7.9. isdataat
- 6.7.10. bsize
- 6.7.11. dsize
- 6.7.12. byte_test
- 6.7.13. byte_math
- 6.7.14. byte_jump
- 6.7.15. byte_extract
- 6.7.16. rpc
- 6.7.17. replace
- 6.7.18. pcre (Perl Compatible Regular Expressions)
  - 6.7.18.1. Suricata’s modifiers
6.8. Transformations
- 6.8.1. dotprefix
- 6.8.2. strip_whitespace
- 6.8.3. compress_whitespace
- 6.8.4. to_md5
- 6.8.5. to_sha1
- 6.8.6. to_sha256
- 6.8.7. pcrexform
- 6.8.8. url_decode
6.9. Prefiltering Keywords
- 6.9.1. fast_pattern
- 6.9.2. prefilter
6.10. Flow Keywords
- 6.10.1. flowbits
- 6.10.2. flow
- 6.10.3. flowint
- 6.10.4. stream_size
6.11. Bypass Keyword
- 6.11.1. bypass
6.12. HTTP Keywords
- 6.12.1. HTTP Primer
- 6.12.2. http.method
- 6.12.3. http.uri and http.uri.raw
- 6.12.4. uricontent
- 6.12.5. urilen
- 6.12.6. http.protocol
- 6.12.7. http.request_line
- 6.12.8. http.header and http.header.raw
- 6.12.9. http.cookie
- 6.12.10. http.user_agent
  - 6.12.10.1. Notes
- 6.12.11. http.accept
- 6.12.12. http.accept_enc
- 6.12.13. http.accept_lang
- 6.12.14. http.connection
- 6.12.15. http.content_type
- 6.12.16. http.content_len
- 6.12.17. http.referer
- 6.12.18. http.start
- 6.12.19. http.header_names
- 6.12.20. http.request_body
- 6.12.21. http.stat_code
- 6.12.22. http.stat_msg
- 6.12.23. http.response_line
- 6.12.24. http.response_body
  - 6.12.24.1. Notes
- 6.12.25. http.server
- 6.12.26. http.location
- 6.12.27. http.host and http.host.raw
  - 6.12.27.1. Notes
- 6.12.28. file_data
  - 6.12.28.1. Notes
6.13. File Keywords
- 6.13.1. filename
- 6.13.2. fileext
- 6.13.3. filemagic
- 6.13.4. filestore
- 6.13.5. filemd5
- 6.13.6. filesha1
- 6.13.7. filesha256
- 6.13.8. filesize
6.14. DNS Keywords
- 6.14.1. dns.opcode
  - 6.14.1.1. Syntax
  - 6.14.1.2. Examples
- 6.14.2. dns.query
  - 6.14.2.1. Normalized Buffer
6.15. SSL/TLS Keywords
- 6.15.1. tls.cert_subject
- 6.15.2. tls.cert_issuer
- 6.15.3. tls.cert_serial
- 6.15.4. tls.cert_fingerprint
- 6.15.5. tls.sni
- 6.15.6. tls_cert_notbefore
- 6.15.7. tls_cert_notafter
- 6.15.8. tls_cert_expired
- 6.15.9. tls_cert_valid
- 6.15.10. tls.certs
- 6.15.11. tls.version
- 6.15.12. ssl_version
- 6.15.13. tls.subject
- 6.15.14. tls.issuerdn
- 6.15.15. tls.fingerprint
- 6.15.16. tls.store
- 6.15.17. ssl_state
6.16. SSH Keywords
- 6.16.1. ssh.proto
- 6.16.2. ssh.software
- 6.16.3. ssh.protoversion
- 6.16.4. ssh.softwareversion
- 6.16.5. ssh.hassh
- 6.16.6. ssh.hassh.string
- 6.16.7. ssh.hassh.server
- 6.16.8. ssh.hassh.server.string
6.17. JA3 Keywords
- 6.17.1. ja3.hash
- 6.17.2. ja3.string
- 6.17.3. ja3s.hash
- 6.17.4. ja3s.string
6.18. Modbus Keyword
6.19. DNP3 Keywords
- 6.19.1. dnp3_func
  - 6.19.1.1. Syntax
- 6.19.2. dnp3_ind
  - 6.19.2.1. Syntax
  - 6.19.2.2. Examples
- 6.19.3. dnp3_obj
  - 6.19.3.1. Syntax
- 6.19.4. dnp3_data
  - 6.19.4.1. Syntax
  - 6.19.4.2. Example
6.20. ENIP/CIP Keywords
6.21. FTP/FTP-DATA Keywords
- 6.21.1. ftpdata_command
- 6.21.2. ftpbounce
6.22. Kerberos Keywords
- 6.22.1. krb5_msg_type
- 6.22.2. krb5_cname
- 6.22.3. krb5_sname
- 6.22.4. krb5_err_code
- 6.22.5. krb5.weak_encryption (event)
- 6.22.6. krb5.malformed_data (event)
6.23. SNMP keywords
- 6.23.1. snmp.version
- 6.23.2. snmp.community
- 6.23.3. snmp.pdu_type
6.24. Base64 keywords
- 6.24.1. base64_decode
- 6.24.2. base64_data
- 6.24.3. Example
6.25. SIP Keywords
- 6.25.1. sip.method
  - 6.25.1.1. Syntax
  - 6.25.1.2. Examples
- 6.25.2. sip.uri
  - 6.25.2.1. Syntax
  - 6.25.2.2. Examples
- 6.25.3. sip.request_line
  - 6.25.3.1. Syntax
  - 6.25.3.2. Examples
- 6.25.4. sip.stat_code
  - 6.25.4.1. Syntax
  - 6.25.4.2. Examples
- 6.25.5. sip.stat_msg
  - 6.25.5.1. Syntax
  - 6.25.5.2. Examples
- 6.25.6. sip.response_line
  - 6.25.6.1. Syntax
  - 6.25.6.2. Examples
- 6.25.7. sip.protocol
  - 6.25.7.1. Syntax
  - 6.25.7.2. Example
6.26. RFB Keywords
- 6.26.1. rfb.name
- 6.26.2. rfb.secresult
- 6.26.3. rfb.sectype
- 6.26.4. Additional information
6.27. MQTT Keywords
- 6.27.1. mqtt.protocol_version
- 6.27.2. mqtt.type
- 6.27.3. mqtt.flags
- 6.27.4. mqtt.qos
- 6.27.5. mqtt.reason_code
- 6.27.6. mqtt.connack.session_present
- 6.27.7. mqtt.connect.clientid
- 6.27.8. mqtt.connect.flags
- 6.27.9. mqtt.connect.password
- 6.27.10. mqtt.connect.username
- 6.27.11. mqtt.connect.willmessage
- 6.27.12. mqtt.connect.willtopic
- 6.27.13. mqtt.publish.message
- 6.27.14. mqtt.publish.topic
- 6.27.15. mqtt.subscribe.topic
- 6.27.16. mqtt.unsubscribe.topic
- 6.27.17. Additional information
6.28. HTTP2 Keywords
- 6.28.1. http2.frametype
- 6.28.2. http2.errorcode
- 6.28.3. http2.priority
- 6.28.4. http2.window
- 6.28.5. http2.size_update
- 6.28.6. http2.settings
- 6.28.7. http2.header_name
- 6.28.8. http2.header
- 6.28.9. Additional information
6.29. Generic App Layer Keywords
- 6.29.1. app-layer-protocol
  - 6.29.1.1. Bail out conditions
- 6.29.2. app-layer-event
  - 6.29.2.1. Protocol Detection
6.30. Xbits Keyword
- 6.30.1. Notes
6.31. Thresholding Keywords
- 6.31.1. threshold
- 6.31.2. detection_filter
6.32. IP Reputation Keyword
- 6.32.1. iprep
  - 6.32.1.1. IP-only
6.33. Config Rules
- 6.33.1. Keyword
- 6.33.2. Action
6.34. Datasets
- 6.34.1. Global config (optional)
- 6.34.2. Rule keywords
  - 6.34.2.1. dataset
  - 6.34.2.2. datarep
- 6.34.3. Rule Reloads
- 6.34.4. Unix Socket
  - 6.34.4.1. dataset-add
  - 6.34.4.2. dataset-remove
- 6.34.5. File formats
6.35. Lua Scripting
- 6.35.1. Init function
- 6.35.2. Match function
6.36. Differences From Snort
- 6.36.1. Automatic Protocol Detection
- 6.36.2. urilen Keyword
- 6.36.3. http_uri Buffer
- 6.36.4. http_header Buffer
- 6.36.5. http_cookie Buffer
- 6.36.6. New HTTP keywords
- 6.36.7. byte_extract Keyword
- 6.36.8. isdataat Keyword
- 6.36.9. Relative PCRE
- 6.36.10. tls* Keywords
- 6.36.11. dns_query Keyword
- 6.36.12. IP Reputation and iprep Keyword
- 6.36.13. Flowbits
- 6.36.14. flowbits:noalert;
- 6.36.15. Negated Content Match Special Case
- 6.36.16. File Extraction
- 6.36.17. Lua Scripting
- 6.36.18. Fast Pattern
- 6.36.19. Don’t Cross The Streams
- 6.36.20. Alerts
- 6.36.21. Buffer Reference Chart

Read the Docs v: suricata-6.0.4

Versions: latest; suricata-6.0.4; suricata-6.0.3; suricata-6.0.2; suricata-6.0.1; suricata-6.0.0-rc1; suricata-6.0.0-beta1; suricata-6.0.0; suricata-5.0.8; suricata-5.0.7; suricata-5.0.6; suricata-5.0.5; suricata-5.0.4; suricata-5.0.3; suricata-5.0.2; suricata-5.0.1; suricata-5.0.0-rc1; suricata-5.0.0-beta1; suricata-5.0.0; suricata-4.1.9; suricata-4.1.8; suricata-4.1.7; suricata-4.1.6; suricata-4.1.5; suricata-4.1.4; suricata-4.1.3; suricata-4.1.2; suricata-4.1.10; suricata-4.1.1; suricata-4.1.0-rc2; suricata-4.1.0-rc1; suricata-4.1.0-beta1; suricata-4.1.0; suricata-4.0.7; suricata-4.0.6; suricata-4.0.5; suricata-4.0.4; suricata-4.0.3; suricata-4.0.2; suricata-4.0.1; suricata-4.0.0-rc2; suricata-4.0.0-rc1; suricata-4.0.0-beta1; suricata-4.0.0; suricata-3.2rc1; suricata-3.2beta1; suricata-3.2.5; suricata-3.2.4; suricata-3.2.3; suricata-3.2.2; suricata-3.2.1; suricata-3.2

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.