From beec1eac2f6bc9f037a13f557ea00d01f80626fd Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Fri, 27 Sep 2024 10:33:49 -0400 Subject: [PATCH] doc/decode-events: new: unknown event description Issue: 7129 Document the unknown ethertype event. --- doc/userguide/rules/decode-layer.rst | 42 ++++++++++++++++++++++++++++ doc/userguide/rules/index.rst | 1 + 2 files changed, 43 insertions(+) create mode 100644 doc/userguide/rules/decode-layer.rst diff --git a/doc/userguide/rules/decode-layer.rst b/doc/userguide/rules/decode-layer.rst new file mode 100644 index 0000000000..f2c8c3c327 --- /dev/null +++ b/doc/userguide/rules/decode-layer.rst @@ -0,0 +1,42 @@ +Generic Decode Layer Keywords +============================= + +decode-event +------------ + +Match on events generated by the decode layer. Decode events are generated during +the packet decoding phase that indicate structural or invalid values for the +Ethernet and layer 2 and layer 3 protocol data. + +Syntax:: + + decode-event:; + +Examples:: + + decode-event:ipv4.opt_duplicate + decode-event:ethernet.unknown_ethertype + +Decode Events +~~~~~~~~~~~~~ + +ethernet.unknown_ethertype +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The ethertype value was not recognized by Suricata. Suricata recognizes +the following ethertype values:: + + ETHERNET_TYPE_IP + ETHERNET_TYPE_IPV6 + ETHERNET_TYPE_VLAN + ETHERNET_TYPE_8021QINQ + ETHERNET_TYPE_8021AD + ETHERNET_TYPE_8021AH + ETHERNET_TYPE_ARP + ETHERNET_TYPE_MPLS_UNICAST + ETHERNET_TYPE_MPLS_MULTICAST + ETHERNET_TYPE_DCE + ETHERNET_TYPE_VNTAG + ETHERNET_TYPE_NSH + ETHERNET_TYPE_PPOE_SESS + ETHERNET_TYPE_PPOE_DISC diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst index 57e9f20eb7..b475fba0f8 100644 --- a/doc/userguide/rules/index.rst +++ b/doc/userguide/rules/index.rst @@ -38,6 +38,7 @@ Suricata Rules smtp-keywords websocket-keywords app-layer + decode-layer xbits noalert thresholding