doc: initial app-layer keywords

author Victor Julien <victor@inliniac.net>

Fri, 14 Oct 2016 15:28:34 +0000 (17:28 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 14 Oct 2016 17:57:21 +0000 (19:57 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 14 Oct 2016 15:28:34 +0000 (17:28 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 14 Oct 2016 17:57:21 +0000 (19:57 +0200)
diff --git a/doc/userguide/rules/app-layer.rst b/doc/userguide/rules/app-layer.rst

new file mode 100644 (file)

index 0000000..8295d58
--- /dev/null
+++ b/doc/userguide/rules/app-layer.rst
@@ -0,0 +1,80 @@
+Generic App Layer Keywords
+==========================
+
+app-layer-protocol
+------------------
+
+Match on the detected app-layer protocol.
+
+Syntax::
+
+    app-layer-protocol:[!]<protocol>;
+
+Examples::
+
+    app-layer-protocol:ssh;
+    app-layer-protocol:!tls;
+    app-layer-protocol:failed;
+
+A special value 'failed' can be used for matching on flows in which
+protocol detection failed. This can happen if Suricata doesn't know
+the protocol or when certain 'bail out' conditions happen.
+
+.. _proto-detect-bail-out:
+
+Bail out conditions
+~~~~~~~~~~~~~~~~~~~
+
+Protocol detection gives up in several cases:
+
+* both sides are inspected and no match was found
+* side A detection failed, side B has no traffic at all (e.g. FTP data channel)
+* side A detection failed, side B has so little data detection is inconclusive
+
+In these last 2 cases the ``app-layer-event:applayer_proto_detection_skipped``
+is set.
+
+
+app-layer-event
+---------------
+
+Match on events generated by the App Layer Parsers and the protocol detection
+engine.
+
+Syntax::
+
+  app-layer-event:<event name>;
+
+Examples::
+
+    app-layer-event:applayer_mismatch_protocol_both_directions;
+    app-layer-event:http.gzip_decompression_failed;
+
+Protocol Detection
+~~~~~~~~~~~~~~~~~~
+
+applayer_mismatch_protocol_both_directions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The toserver and toclient directions have different protocols. For example a
+client talking HTTP to a SSH server.
+
+applayer_wrong_direction_first_data
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some protocol implementations in Suricata have a requirement with regards to
+the first data direction. The HTTP parser is an example of this.
+
+https://redmine.openinfosecfoundation.org/issues/993
+
+applayer_detect_protocol_only_one_direction
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Protocol detection only succeeded in one direction. For FTP and SMTP this is
+expected.
+
+applayer_proto_detection_skipped
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Protocol detection was skipped because of :ref:`proto-detect-bail-out`.
+
diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst

index 6680d030f7262d0d14044f82867a56e9aeb07fed..1818572aca10ec53c920e818741a231d82fafd06 100644 (file)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -18,6 +18,7 @@ Suricata Rules
     modbus-keyword
     dnp3-keywords
     enip-keyword
+   app-layer
     rule-lua-scripting
     normalized-buffers
     snort-compatibility
author	Victor Julien <victor@inliniac.net>
	Fri, 14 Oct 2016 15:28:34 +0000 (17:28 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 14 Oct 2016 17:57:21 +0000 (19:57 +0200)
doc/userguide/rules/app-layer.rst	[new file with mode: 0644]	patch \| blob
doc/userguide/rules/index.rst		patch \| blob \| blame \| history