From 197ad5113813157c4344671e914bd8d3af023039 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 18 May 2020 09:30:02 -0400 Subject: [PATCH] doc: Update bsize documentation This commit updates the bsize documentation 1. Describe what happens when "content" immediately precedes "bsize" 2. Include the operators and 3. Include examples using the operators. --- doc/userguide/rules/payload-keywords.rst | 30 ++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index e0c0aef2f3..fa76250b7a 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -273,13 +273,26 @@ You can also use the negation (!) before isdataat. bsize ----- -With the bsize keyword, you can match on the length of a buffer. This adds precision to the content match, previously this could have been done with isdataat. +With the ``bsize`` keyword, you can match on the length of the buffer. This adds +precision to the content match, previously this could have been done with ``isdataat``. + +An optional operator can be specified; if no operator is present, the operator will +default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range), +the bsize value will be compared using the relational operator. Ranges are inclusive. + +If one or more ``content`` keywords precedes ``bsize``, each occurrence of ``content`` +will be inspected and an error will be raised if the content length and the bsize +value prevent a match. Format:: bsize:; + bsize:=; + bsize:<; + bsize:>; + bsize:<>; -Examples of bsize values: +Examples of ``bsize`` in a rule: .. container:: example-rule @@ -295,6 +308,19 @@ Examples of bsize values: alert dns any any -> any any (msg:"bsize buffer range value"; dns.query; content:"google.com"; bsize:8<>20; sid:6; rev:1;) + +.. container:: example-rule + + alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"short"; bsize:<10; sid:124; rev:1;) + +.. container:: example-rule + + alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"longer string"; bsize:>10; sid:125; rev:1;) + +.. container:: example-rule + + alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"middle"; bsize:6<>15; sid:126; rev:1;) + dsize -----