6. Suricata Rules¶
- 6.1. Rules Format
- 6.2. Meta Keywords
- 6.3. IP Keywords
- 6.4. TCP keywords
- 6.5. UDP keywords
- 6.6. ICMP keywords
- 6.7. Payload Keywords
- 6.7.1. content
- 6.7.2. nocase
- 6.7.3. depth
- 6.7.4. startswith
- 6.7.5. endswith
- 6.7.6. offset
- 6.7.7. distance
- 6.7.8. within
- 6.7.9. isdataat
- 6.7.10. bsize
- 6.7.11. dsize
- 6.7.12. byte_test
- 6.7.13. byte_math
- 6.7.14. byte_jump
- 6.7.15. byte_extract
- 6.7.16. rpc
- 6.7.17. replace
- 6.7.18. pcre (Perl Compatible Regular Expressions)
- 6.8. Transformations
- 6.9. Prefiltering Keywords
- 6.10. Flow Keywords
- 6.11. Bypass Keyword
- 6.12. HTTP Keywords
- 6.12.1. HTTP Primer
- 6.12.2. http.method
- 6.12.3. http.uri and http.uri.raw
- 6.12.4. uricontent
- 6.12.5. urilen
- 6.12.6. http.protocol
- 6.12.7. http.request_line
- 6.12.8. http.header and http.header.raw
- 6.12.9. http.cookie
- 6.12.10. http.user_agent
- 6.12.11. http.accept
- 6.12.12. http.accept_enc
- 6.12.13. http.accept_lang
- 6.12.14. http.connection
- 6.12.15. http.content_type
- 6.12.16. http.content_len
- 6.12.17. http.referer
- 6.12.18. http.start
- 6.12.19. http.header_names
- 6.12.20. http.request_body
- 6.12.21. http.stat_code
- 6.12.22. http.stat_msg
- 6.12.23. http.response_line
- 6.12.24. http.response_body
- 6.12.25. http.server
- 6.12.26. http.location
- 6.12.27. http.host and http.host.raw
- 6.12.28. file_data
- 6.13. File Keywords
- 6.14. DNS Keywords
- 6.15. SSL/TLS Keywords
- 6.15.1. tls.cert_subject
- 6.15.2. tls.cert_issuer
- 6.15.3. tls.cert_serial
- 6.15.4. tls.cert_fingerprint
- 6.15.5. tls.sni
- 6.15.6. tls_cert_notbefore
- 6.15.7. tls_cert_notafter
- 6.15.8. tls_cert_expired
- 6.15.9. tls_cert_valid
- 6.15.10. tls.certs
- 6.15.11. tls.version
- 6.15.12. ssl_version
- 6.15.13. tls.subject
- 6.15.14. tls.issuerdn
- 6.15.15. tls.fingerprint
- 6.15.16. tls.store
- 6.15.17. ssl_state
- 6.16. SSH Keywords
- 6.17. JA3 Keywords
- 6.18. Modbus Keyword
- 6.19. DNP3 Keywords
- 6.20. ENIP/CIP Keywords
- 6.21. FTP/FTP-DATA Keywords
- 6.22. Kerberos Keywords
- 6.23. SNMP keywords
- 6.24. Base64 keywords
- 6.25. SIP Keywords
- 6.26. RFB Keywords
- 6.27. MQTT Keywords
- 6.27.1. mqtt.protocol_version
- 6.27.2. mqtt.type
- 6.27.3. mqtt.flags
- 6.27.4. mqtt.qos
- 6.27.5. mqtt.reason_code
- 6.27.6. mqtt.connack.session_present
- 6.27.7. mqtt.connect.clientid
- 6.27.8. mqtt.connect.flags
- 6.27.9. mqtt.connect.password
- 6.27.10. mqtt.connect.username
- 6.27.11. mqtt.connect.willmessage
- 6.27.12. mqtt.connect.willtopic
- 6.27.13. mqtt.publish.message
- 6.27.14. mqtt.publish.topic
- 6.27.15. mqtt.subscribe.topic
- 6.27.16. mqtt.unsubscribe.topic
- 6.27.17. Additional information
- 6.28. HTTP2 Keywords
- 6.29. Generic App Layer Keywords
- 6.30. Xbits Keyword
- 6.31. Thresholding Keywords
- 6.32. IP Reputation Keyword
- 6.33. Config Rules
- 6.34. Datasets
- 6.35. Lua Scripting
- 6.36. Differences From Snort
- 6.36.1. Automatic Protocol Detection
- 6.36.2.
urilen
Keyword - 6.36.3.
http_uri
Buffer - 6.36.4.
http_header
Buffer - 6.36.5.
http_cookie
Buffer - 6.36.6. New HTTP keywords
- 6.36.7.
byte_extract
Keyword - 6.36.8.
isdataat
Keyword - 6.36.9. Relative PCRE
- 6.36.10.
tls*
Keywords - 6.36.11.
dns_query
Keyword - 6.36.12. IP Reputation and
iprep
Keyword - 6.36.13. Flowbits
- 6.36.14. flowbits:noalert;
- 6.36.15. Negated Content Match Special Case
- 6.36.16. File Extraction
- 6.36.17. Lua Scripting
- 6.36.18. Fast Pattern
- 6.36.19. Don’t Cross The Streams
- 6.36.20. Alerts
- 6.36.21. Buffer Reference Chart