detect/byte_math: Document bytes variable name

author Jeff Lucovsky <jlucovsky@oisf.net>

Sun, 9 Jul 2023 14:42:06 +0000 (10:42 -0400)

committer Victor Julien <vjulien@oisf.net>

Mon, 10 Jul 2023 07:27:04 +0000 (09:27 +0200)
author Jeff Lucovsky <jlucovsky@oisf.net>
Sun, 9 Jul 2023 14:42:06 +0000 (10:42 -0400)
committer Victor Julien <vjulien@oisf.net>
Mon, 10 Jul 2023 07:27:04 +0000 (09:27 +0200)
diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst

index 50f34061b9892b526724389ca31f9df665626e2c..9ca145c5e238ae317ab386ffc9425a2cb53fe382 100644 (file)
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -295,6 +295,10 @@ See :doc:`http-keywords` for all HTTP keywords.
    to be specified for the ``nbytes`` value. The value of ``nbytes`` must adhere
    to the same constraints as though a value was directly supplied by the rule.
  
+-  Suricata allows a variable name from ``byte_extract`` to be specified for
+   the ``nbytes`` value. The value of ``nbytes`` must adhere to the same constraints
+   as if it were supplied directly in the rule.
+
  
  ``isdataat`` Keyword
  --------------------
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index e9da599ee94ceda682c0103c7458071954c71405..412f7b4fe0e4352087fc4b52f09f58c2f4a0275f 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -459,13 +459,14 @@ other rule options later in the rule.
  
  Format::
  
-  byte_math:bytes <num of bytes>, offset <offset>, oper <operator>, rvalue <rvalue>, \
+  byte_math:bytes <num of bytes> | <variable-name> , offset <offset>, oper <operator>, rvalue <rvalue>, \
          result <result_var> [, relative] [, endian <endian>] [, string <number-type>] \
          [, dce] [, bitmask <value>];
  
  
  +-----------------------+-----------------------------------------------------------------------+
  | <num of bytes>        | The number of bytes selected from the packet                          |
+|                       | or the name of a byte_extract variable.                               |
  +-----------------------+-----------------------------------------------------------------------+
  | <offset>              | Number of bytes into the payload                                      |
  +-----------------------+-----------------------------------------------------------------------+
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Sun, 9 Jul 2023 14:42:06 +0000 (10:42 -0400)
committer	Victor Julien <vjulien@oisf.net>
	Mon, 10 Jul 2023 07:27:04 +0000 (09:27 +0200)
doc/userguide/rules/differences-from-snort.rst		patch \| blob \| blame \| history
doc/userguide/rules/payload-keywords.rst		patch \| blob \| blame \| history