From 6f294f2f2d40990a6ca74ef3368c6373489eda3d Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Fri, 2 Sep 2022 14:27:15 -0300 Subject: [PATCH] userguide: minor rewording and typo fixes Some of these were recently introduced, some were highlited after the applayer sections got merged. Some paragraphs seem to have been changed due to trying to respect character limits for lines. Also includes a typo pointed out by one of our community members via Discord. --- doc/userguide/configuration/suricata-yaml.rst | 27 +++++++++---------- .../setting-up-ipsinline-for-linux.rst | 2 +- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 2bc934213c..b7497d1bb9 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -993,7 +993,7 @@ and prealloc for the following: The flow-engine has a management thread that operates independent from the packet processing. This thread is called the flow-manager. This -thread ensures that wherever possible and within the memcap. there +thread ensures that wherever possible and within the memcap. There will be 10000 flows prepared. In IPS mode, a memcap-policy exception policy can be set, telling Suricata @@ -1251,13 +1251,13 @@ Application Layer Parsers The ``app-layer`` section holds application layer specific configurations. -A in IPS mode, a global exception policy accessed via the ``error-policy`` +In IPS mode, a global exception policy accessed via the ``error-policy`` setting can be defined to indicate what the engine should do in case if encounters an app-layer error. Possible values are "drop-flow", "pass-flow", -"bypass", "drop-packet", "pass-packet", "reject" or "ignore" (which will mean -keeping the default behavior). +"bypass", "drop-packet", "pass-packet", "reject" or "ignore" (which maintains +the default behavior). -Each supported protocol will have a dedicated subsection under ``protocols``. +Each supported protocol has a dedicated subsection under ``protocols``. Asn1_max_frames (new in 1.0.3 and 1.1) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1684,15 +1684,14 @@ unlimited. MQTT ~~~~ -MQTT messages could theoretically be up to 256MB in size, potentially -containing a lot of payload data (such as properties, topics, or -published payloads) that would end up parsed and logged. To acknowledge -the fact that most MQTT messages, however, will be quite small and to -reduce the potential for denial of service issues, it is possible to limit -the maximum length of a message that we are willing to parse. Any message -larger than the limit will just be logged with reduced metadata, and rules -will only be evaluated against a subset of fields. -The default is 1 MB. +The maximum size of a MQTT message is 256MB, potentially containing a lot of +payload data (such as properties, topics, or published payloads) that would end +up parsed and logged. To acknowledge the fact that most MQTT messages, however, +will be quite small and to reduce the potential for denial of service issues, +it is possible to limit the maximum length of a message that Suricata should +parse. Any message larger than the limit will just be logged with reduced +metadata, and rules will only be evaluated against a subset of fields. The +default is 1 MB. :: diff --git a/doc/userguide/setting-up-ipsinline-for-linux.rst b/doc/userguide/setting-up-ipsinline-for-linux.rst index 10024f9459..2656f765cc 100644 --- a/doc/userguide/setting-up-ipsinline-for-linux.rst +++ b/doc/userguide/setting-up-ipsinline-for-linux.rst @@ -17,7 +17,7 @@ To check if you have NFQ enabled in your Suricata build, enter the following com suricata --build-info -and make sure that NFS is listed in the output. +and make sure that NFQ is listed in the output. To run Suricata with the NFQ mode, you have to make use of the ``-q`` option. This option tells Suricata which queue numbers it should use.