doc: adds doc for ipv4.hdr signature keyword

author Philippe Antoine <contact@catenacyber.fr>

Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)

committer Jeff Lucovsky <jeff@lucovsky.org>

Mon, 23 Mar 2020 13:08:04 +0000 (09:08 -0400)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)
committer Jeff Lucovsky <jeff@lucovsky.org>
Mon, 23 Mar 2020 13:08:04 +0000 (09:08 -0400)
diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst

index e04f5119cfaaa26ec73dd961aa183c6b358fa573..f8104ec61e5ea76d0d2c5b9874629de0273003f3 100644 (file)
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -111,6 +111,25 @@ The named variant of that example would be::
  
      ip_proto:PIM
  
+ipv4.hdr
+^^^^^^^^
+
+Sticky buffer to match on the whole IPv4 header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert ip any any -> any any (:example-rule-emphasis:`ipv4.hdr; content:"|3A|"; offset:9; depth:1;` sid:1234; rev:5;)
+
+This example looks if byte 9 of IPv4 header has value 3A.
+That means that the IPv4 protocol is ICMPv6.
+
+ipv6.hdr
+^^^^^^^^
+
+Sticky buffer to match on the whole IPv6 header.
+
  id
  ^^
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Mon, 23 Mar 2020 13:08:04 +0000 (09:08 -0400)