From f46a8776ecc3f73c58d129b964f48d90727580a0 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Tue, 3 Sep 2024 14:13:08 -0400 Subject: [PATCH] doc: add note about big endian for icmp_seq match --- doc/userguide/rules/header-keywords.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst index e28b14e283..a6837d73cf 100644 --- a/doc/userguide/rules/header-keywords.rst +++ b/doc/userguide/rules/header-keywords.rst @@ -711,6 +711,12 @@ Example of icmp_seq in a rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;) +.. note:: Some pcap analysis tools, like wireshark, may give both a little + endian and big endian value for ``icmp_seq``. The ``icmp_seq`` keyword + matches on the big endian value, this is due to Suricata using the network + byte order (big endian) to perform the match comparison. + + icmpv4.hdr ^^^^^^^^^^