8. Suricata Rules
- 8.1. Rules Format
- 8.2. Meta Keywords
- 8.3. IP Keywords
- 8.4. TCP keywords
- 8.5. UDP keywords
- 8.6. ICMP keywords
- 8.7. Payload Keywords
- 8.7.1. content
- 8.7.2. nocase
- 8.7.3. depth
- 8.7.4. startswith
- 8.7.5. endswith
- 8.7.6. offset
- 8.7.7. distance
- 8.7.8. within
- 8.7.9. rawbytes
- 8.7.10. isdataat
- 8.7.11. bsize
- 8.7.12. dsize
- 8.7.13. byte_test
- 8.7.14. byte_math
- 8.7.15. byte_jump
- 8.7.16. byte_extract
- 8.7.17. rpc
- 8.7.18. replace
- 8.7.19. pcre (Perl Compatible Regular Expressions)
- 8.8. Transformations
- 8.9. Prefiltering Keywords
- 8.10. Flow Keywords
- 8.11. Bypass Keyword
- 8.12. HTTP Keywords
- 8.12.1. HTTP Primer
- 8.12.2. http.method
- 8.12.3. http.uri and http.uri.raw
- 8.12.4. uricontent
- 8.12.5. urilen
- 8.12.6. http.protocol
- 8.12.7. http.request_line
- 8.12.8. http.header and http.header.raw
- 8.12.9. http.cookie
- 8.12.10. http.user_agent
- 8.12.11. http.accept
- 8.12.12. http.accept_enc
- 8.12.13. http.accept_lang
- 8.12.14. http.connection
- 8.12.15. http.content_type
- 8.12.16. http.content_len
- 8.12.17. http.referer
- 8.12.18. http.start
- 8.12.19. http.header_names
- 8.12.20. http.request_body
- 8.12.21. http.stat_code
- 8.12.22. http.stat_msg
- 8.12.23. http.response_line
- 8.12.24. http.response_body
- 8.12.25. http.server
- 8.12.26. http.location
- 8.12.27. http.host and http.host.raw
- 8.12.28. http.request_header
- 8.12.29. http.response_header
- 8.12.30. file.data
- 8.13. File Keywords
- 8.14. DNS Keywords
- 8.15. SSL/TLS Keywords
- 8.15.1. tls.cert_subject
- 8.15.2. tls.cert_issuer
- 8.15.3. tls.cert_serial
- 8.15.4. tls.cert_fingerprint
- 8.15.5. tls.sni
- 8.15.6. tls_cert_notbefore
- 8.15.7. tls_cert_notafter
- 8.15.8. tls_cert_expired
- 8.15.9. tls_cert_valid
- 8.15.10. tls.certs
- 8.15.11. tls.version
- 8.15.12. ssl_version
- 8.15.13. tls.fingerprint
- 8.15.14. tls.store
- 8.15.15. ssl_state
- 8.15.16. tls.random
- 8.15.17. tls.random_time
- 8.15.18. tls.random_bytes
- 8.15.19. tls.cert_chain_len
- 8.16. SSH Keywords
- 8.17. JA3/JA4 Keywords
- 8.18. Modbus Keyword
- 8.19. DCERPC Keywords
- 8.20. DHCP keywords
- 8.21. DNP3 Keywords
- 8.22. ENIP/CIP Keywords
- 8.23. FTP/FTP-DATA Keywords
- 8.24. Kerberos Keywords
- 8.25. SMB Keywords
- 8.26. SNMP keywords
- 8.27. Base64 keywords
- 8.28. SIP Keywords
- 8.29. RFB Keywords
- 8.30. MQTT Keywords
- 8.30.1. mqtt.protocol_version
- 8.30.2. mqtt.type
- 8.30.3. mqtt.flags
- 8.30.4. mqtt.qos
- 8.30.5. mqtt.reason_code
- 8.30.6. mqtt.connack.session_present
- 8.30.7. mqtt.connect.clientid
- 8.30.8. mqtt.connect.flags
- 8.30.9. mqtt.connect.password
- 8.30.10. mqtt.connect.username
- 8.30.11. mqtt.connect.willmessage
- 8.30.12. mqtt.connect.willtopic
- 8.30.13. mqtt.publish.message
- 8.30.14. mqtt.publish.topic
- 8.30.15. mqtt.subscribe.topic
- 8.30.16. mqtt.unsubscribe.topic
- 8.30.17. Additional information
- 8.31. IKE Keywords
- 8.32. HTTP2 Keywords
- 8.33. Quic Keywords
- 8.34. Generic App Layer Keywords
- 8.35. Xbits Keyword
- 8.36. Alert Keywords
- 8.37. Thresholding Keywords
- 8.38. IP Reputation Keyword
- 8.39. IP Addresses Match
- 8.40. Config Rules
- 8.41. Datasets
- 8.42. Lua Scripting for Detection
- 8.43. Differences From Snort
- 8.43.1. Automatic Protocol Detection
- 8.43.2.
urilen
Keyword - 8.43.3.
http_uri
Buffer - 8.43.4.
http_header
Buffer - 8.43.5.
http_cookie
Buffer - 8.43.6. New HTTP keywords
- 8.43.7.
byte_extract
Keyword - 8.43.8.
byte_jump
Keyword - 8.43.9.
byte_math
Keyword - 8.43.10.
byte_test
Keyword - 8.43.11.
isdataat
Keyword - 8.43.12. Relative PCRE
- 8.43.13.
tls*
Keywords - 8.43.14.
dns_query
Keyword - 8.43.15. IP Reputation and
iprep
Keyword - 8.43.16. Flowbits
- 8.43.17. flowbits:noalert;
- 8.43.18. Negated Content Match Special Case
- 8.43.19. File Extraction
- 8.43.20. Lua Scripting
- 8.43.21. Fast Pattern
- 8.43.22. Don't Cross The Streams
- 8.43.23. Alerts
- 8.43.24. Buffer Reference Chart
- 8.44. Multiple Buffer Matching
- 8.45. Tag