diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst index 9e1e6ce56d..fb20a1c7ec 100644 --- a/doc/userguide/rules/intro.rst +++ b/doc/userguide/rules/intro.rst @@ -172,6 +172,12 @@ There are specific settings for: * payloads * flows +.. note:: The characters ``;`` and ``"`` have special meaning in the + Suricata rule language and must be escaped when used in a + rule option value. For example:: + + msg:"Message with semicolon\;"; + For more information about these settings, you can click on the following headlines: diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 048152c746..7132f2dff6 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -26,10 +26,11 @@ It is a convention that msg is always the first keyword of a signature. Another example of msg in a signature: -.. image:: meta/msg.png - In this example the red, bold-faced part is the msg. +.. note:: The following characters must be escaped inside the msg: + ``;`` ``\`` ``"`` + Sid (signature id) ------------------ diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 6104c5ba79..2e0f4db0ca 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -93,6 +93,9 @@ For example:: You see ``content:!”Firefox/3.6.13”;``. This means an alert will be generated if the the used version of Firefox is not 3.6.13. +.. note:: The following characters must be escaped inside the content: + ``;`` ``\`` ``"`` + Nocase ------ diff --git a/doc/userguide/rules/pcre.rst b/doc/userguide/rules/pcre.rst index 784b56681c..9c0f4035c8 100644 --- a/doc/userguide/rules/pcre.rst +++ b/doc/userguide/rules/pcre.rst @@ -54,6 +54,9 @@ qualities of pcre as well. These are: * ``E``: Ignores newline characters at the end of the buffer/payload. * ``G``: Inverts the greediness. +.. note:: The following characters must be escaped inside the content: + ``;`` ``\`` ``"`` + Suricata's modifiers ~~~~~~~~~~~~~~~~~~~~