-Header Keywords
-===============
+
.. role:: example-rule-emphasis
-IP-keywords
+IP Keywords
-----------
ttl
ipopts
^^^^^^
-
-With the ipopts keyword you can check if a specific ip option is
+With the ipopts keyword you can check if a specific IP option is
set. Ipopts has to be used at the beginning of a rule. You can only
match on one option per rule. There are several options on which can
be matched. These are:
ip_proto
^^^^^^^^
-
With the ip_proto keyword you can match on the IP protocol in the
packet-header. You can use the name or the number of the protocol.
You can match for example on the following protocols::
alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;)
-The named variante of that example would be::
+The named variant of that example would be::
ip_proto:PIM
geoip
^^^^^
-
The geoip keyword enables (you) to match on the source, destination or
source and destination IP addresses of network traffic, and to see to
which country it belongs. To be able to do this, Suricata uses GeoIP
The keyword only supports IPv4. As it uses the GeoIP API of Maxmind,
libgeoip must be compiled in.
-
-Fragments
----------
-
-fragbits
-^^^^^^^^
+fragbits (IP fragmentation)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
With the fragbits keyword, you can check if the fragmentation and
reserved bits are set in the IP header. The fragbits keyword should be
seq
^^^
-
The seq keyword can be used in a signature to check for a specific TCP
sequence number. A sequence number is a number that is generated
practically at random by both endpoints of a TCP-connection. The
- 5 - Need Authorization
========== ========== =========================================================================
+
icmp_id
^^^^^^^
projects / thirdparty / suricata.git / commitdiff
