Todd Mortimer
6b4d32c6bb
doc: Update documentation for by_rule and by_both thresholds.
5 years ago
Jeff Lucovsky
4ad6c5421a
doc: fix documentation typos
5 years ago
Jeff Lucovsky
bc01392e93
doc: Update byte_test documentation
5 years ago
Frank Honza
1c8943dedd
add RFB parser
...
This commit adds support for the Remote Framebuffer Protocol (RFB) as
used, for example, by various VNC implementations. It targets the
official versions 3.3, 3.7 and 3.8 of the protocol and provides logging
for the RFB handshake communication for now. Logged events include
endpoint versions, details of the security (i.e. authentication)
exchange as well as metadata about the image transfer parameters.
Detection is enabled using keywords for:
- rfb.name: Session name as sticky buffer
- rfb.sectype: Security type, e.g. VNC-style challenge-response
- rfb.secresult: Result of the security exchange, e.g. OK, FAIL, ...
The latter could be used, for example, to detect brute-force attempts
on open VNC servers, while the name could be used to map unwanted VNC
sessions to the desktop owners or machines.
We also ship example EVE-JSON output and keyword docs as part of the
Sphinx source for Suricata's RTD documentation.
5 years ago
Philippe Antoine
6251deae21
doc: adds doc for ipv4.hdr signature keyword
5 years ago
Philippe Antoine
1cd314c500
detect: adds icmpv6.mtu keyword
5 years ago
Philippe Antoine
8396333493
detect: adds icmpv6.hdr keyword
5 years ago
Philippe Antoine
af1361a988
doc: add missing documentation for ipv6.hdr keyword
5 years ago
jason taylor
1666bc0ad1
doc: minor capitalization fix
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
5 years ago
jason taylor
4f7dc4f136
doc: add bsize documentation and rule example
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
5 years ago
Jason Williams
55a36c79ff
doc: update http keywords documentation
5 years ago
jason taylor
95237f9894
docs: update datasets examples
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
5 years ago
EmilienCourt
50bb8d4cb2
doc: fix typo on example
...
Quotes have been forgotten in the dnp3.data example, which throws an
SC_ERR_INVALID_SIGNATURE(39) if used like in the example.
5 years ago
Eric Leblond
9ef2f81ee7
doc/userguide: fix typo
5 years ago
Eric Leblond
821d590f5b
doc/userguide: fix base64 example
...
Add a sticky buffer example and fix the content modifier one.
5 years ago
Konstantin Klinger
808ea0dba9
app-layer: remove obsolete msn protocol detection
5 years ago
Victor Julien
6d2bd6607e
datasets: make clear the feature is experimental
5 years ago
Victor Julien
4061bf5ceb
doc/datasets: update example config to map
5 years ago
Victor Julien
be6cdd37f8
stream: remove fix stream.depth references
5 years ago
Giuseppe Longo
dd5d0afd79
doc: add SIP keywords
5 years ago
Jason Ish
d3e2cc9926
doc: document dns.opcode keyword
5 years ago
Jason Ish
daed788d49
doc: Replace dns_query with dns.query.
5 years ago
Travis Green
798d874662
doc: fix whitespace
5 years ago
Victor Julien
6aa2d550a1
doc/dotprefix: fix example rules
5 years ago
Jeff Lucovsky
ab3d6328ba
detect/transform: add dotprefix keyword to doc
5 years ago
Travis Green
3f146cdd7e
doc: add endswith keyword docs
5 years ago
Travis Green
9f8dcad287
doc: update of ssh-kewords documentation
...
Modifies ssh-keywords.rst to fix syntax error in example rule as well as
update descriptions to indicate older keywords have been deprecated.
5 years ago
Victor Julien
e36a963196
datasets/doc: minor fixes and clarifications
5 years ago
Victor Julien
0107b9a057
doc/dataset: initial documentation
5 years ago
Nick Price
d0a85b7550
ja3: Mention LibNSS dependency for JA3
5 years ago
Eric Leblond
08397e07f1
doc: fix typos in geoip doc
5 years ago
Eric Leblond
0d5608bab2
doc: fix display of icmp code and type array
5 years ago
Eric Leblond
0c84591afe
doc: use a table to list direction filter in geoip
5 years ago
Eric Leblond
c01cadbade
doc: fix geoip syntax
...
Spaces are not allowed before country code.
5 years ago
Vinjar Hillestad
4c18fee3c6
Documenting base64_decode and base64_content
...
base64 doc changes based on #4027 pull feedback
5 years ago
Bill Meeks
a291209e47
detect/geoip: migrate to GeoIP2 database format
...
Issue #2765
5 years ago
Victor Julien
034555644b
doc: add tcp.hdr and udp.hdr
5 years ago
Victor Julien
a01df4b86b
doc: document tcp.mss keyword
5 years ago
Andreas Herz
30fd80b0ef
doc: convert fancy quotes to straight quotes
5 years ago
Pierre Chifflier
9dfec7e734
SNMP: add the "snmp.pdu_type" detection keyword
5 years ago
Pierre Chifflier
e1dd19a0eb
SNMP: add the "snmp.community" detection keyword
5 years ago
Pierre Chifflier
aa608e0ca2
SNMP: add the "snmp.version" detection keyword
5 years ago
Jeff Lucovsky
ab1d95446a
doc: http keyword update
...
This changeset updates the keyword type for http.location and http.server
5 years ago
Jeff Lucovsky
0960ca0d00
detect/analyzer Add missing HTTP values
...
This changeset adds recognition of missing HTTP values
- Raw host
- Header names
- Server body
- User agent
5 years ago
Mats Klepsland
b59e82a642
userguide: add documentation for ja3s.string keyword
5 years ago
Mats Klepsland
76b94c7073
userguide: add documentation for ja3s.hash keyword
5 years ago
Mats Klepsland
7020cffaa8
userguide: 'sticky' instead of 'Sticky' for all tls keywords
5 years ago
Mats Klepsland
03d986dd55
userguide: add documentation for tls.certs keyword
6 years ago
Jeff Lucovsky
7d6875fb68
documentation: Correct rst for ssh-keywords
...
This changeset corrects an error in the ssh-keywords
where 3 "`" characters were used instead of 2 "`" characters.
6 years ago
Jeff Lucovsky
97fc7c1e1a
documentation: sticky buffer updates
...
This changeset updates the userguide for the TLS and JA3
keywords that have been renamed from <id>_<name> to <id.name>
6 years ago
Giuseppe Longo
76357350fd
doc: update http.protocol description
6 years ago
Eric Leblond
360a6ace43
doc: add info about buffer usage in lua
6 years ago
Jeff Lucovsky
9856c5533a
doc: ssh.{proto,software} documentation update
6 years ago
Jeff Lucovsky
74cd6a9ee8
doc: add http.location and http.server
6 years ago
Bryant Smith
398133b6ce
doc: add byte_* documentation to the userguide
...
Added byte_test, byte_jump and byte_extract description and example rules
6 years ago
Eric Leblond
83a8df90f3
doc: improvement of xbits documentation page
6 years ago
Eric Leblond
43ede4db7f
doc: xbits:noalert is not a valid syntax
6 years ago
Victor Julien
eb73008ccf
detect/transform: add to_sha1 keyword
6 years ago
Victor Julien
75f9c1ae9f
detect/transform: add to_md5 keyword
6 years ago
Pascal Delalande
f2dca46382
doc: fix minor typo
6 years ago
Travis Green
c2adb9e669
doc: added tos keyword
...
Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2583
6 years ago
jason taylor
fc54d750dd
doc: add bypass keyword documentation
...
Signed-off-by: jason taylor <jtfas90@gmail.com>
6 years ago
Mats Klepsland
be8c06adfd
userguide: add documentation for ssl_version keyword
6 years ago
Victor Julien
5afeebf884
doc/flow: updates and cleanups to flow section
6 years ago
Victor Julien
72dd4a5f92
doc/rules: initial transforms documentation
6 years ago
Mats Klepsland
e92fda37c9
doc: add documentation for SSH keywords
6 years ago
Mats Klepsland
10fcc8d2ca
doc: update tls.version documentation
6 years ago
Victor Julien
c677e07d3e
kerberos: minor doc updates, add author
6 years ago
Jason Ish
fb85822730
dhcp: update user guide
6 years ago
Pierre Chifflier
c51ff32adb
Document Kerberos 5 parsing events
6 years ago
Pierre Chifflier
1076c7cd47
Add krb5_err_code detection keyword
6 years ago
Pierre Chifflier
d6b9c0294a
Add krb5_cname and krb5_sname detection keywords
6 years ago
Pierre Chifflier
0bd81ff838
Add krb5_msg_type detection keyword
6 years ago
Pierre Chifflier
1e5f5d405f
Kerberos 5: add support for TCP as well
6 years ago
Pascal Delalande
4f48927c44
doc: spelling mistakes in various sections of the user guide
7 years ago
Eric Leblond
0c4bf2d332
doc: add a lua support top level section
...
Both output and signature are using lua. So lua functions should
be displayed in a single section.
7 years ago
Pascal Delalande
e3c5784dd5
doc: minor updates (tls custom, TODO removal, ftp/smb file rules)
7 years ago
Victor Julien
ccde621ceb
doc: add suricata-update to intro for rules
7 years ago
Pierre Chifflier
6eb48e1e93
Add ikev2 to userguide
7 years ago
Victor Julien
26e807ca34
doc: fix http_header_names example
7 years ago
Mats Klepsland
a357f52fa5
doc: add documentation for ja3_string keyword
7 years ago
Mats Klepsland
38cc6f595f
doc: add documentation for ja3_hash keyword
7 years ago
David DIALLO
c2236ea2b3
modbus: Support Unit Identifier
...
When destination IP address does not suffice to uniquely identify
the Modbus/TCP device.
Some Modbus/TCP devices act as gateways to other Modbus/TCP devices
that are behind this gateways.
7 years ago
Andreas Herz
2e8678a5ff
docs: replace redmine links and enforce https on oisf urls
7 years ago
David DIALLO
6c643d8975
modbus: duplicate alerts unaware of direction
...
Remove DetectAppLayerInspectEngineRegister for TOCLIENT direction
because Modbus inspection engine is only performing in request (TOSERVER).
Detect Value keyword in read access rule. In read access, match on value
is not possible.
Update Modbus keyword documentation.
7 years ago
Giuseppe Longo
d2121945c9
doc: update file_data description
7 years ago
Eric Leblond
72c8cd67d5
doc: documentation update on metadata
7 years ago
Pascal Delalande
0ff60f65ec
doc: update filestore for file hash extraction
...
Update for extraction based on md5, sha1 and sha256
7 years ago
Victor Julien
07738af868
detect/content: introduce startswith modifier
...
Add startswith modifier to simplify matching patterns at the start
of a buffer.
Instead of:
content:"abc"; depth:3;
This enables:
content:"abc"; startswith;
Especially with longer patterns this makes the intention of the rule
more clear and eases writing the rules.
Internally it's simply a shorthand for 'depth:<pattern len>;'.
Ticket https://redmine.openinfosecfoundation.org/issues/742
7 years ago
Eric Leblond
f5ba4c231d
doc: update following ftp-data changes
7 years ago
Andreas Herz
6f0794c16f
keyword-filesize: add units
7 years ago
Ralph Broenink
f6938933d9
doc: Amend the list of accepted protocols
...
Based on the list in suricata.yaml
7 years ago
Ralph Broenink
98a1ec490f
doc: Move IP reputation keyword to rules section
7 years ago
Ralph Broenink
722cff1862
doc: Restructure ToC
...
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
7 years ago
Ralph Broenink
196ba1da70
doc: Make the header keywords section separate sections in ToC
7 years ago
Ralph Broenink
a55a6cdb62
doc: Move flowint as integral part of flow keywords
7 years ago
Ralph Broenink
f6c766112c
doc: Minor changes in structuring of HTTP Keywords / Snort differences
7 years ago
Ralph Broenink
e9b25988ba
doc: Move pcre entirely to Payload Keywords section
...
(plus remove lingering screenshot of a rule)
7 years ago
Ralph Broenink
bb1bf2643d
doc: Move fast_pattern and prefilter to dedicated page
7 years ago
Ralph Broenink
fea037fda8
doc: Moved explanation of normalized buffers to rules introduction
7 years ago