doc: adds doc for ipv4.hdr signature keyword

author Philippe Antoine <contact@catenacyber.fr>

Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 19 Mar 2020 08:49:13 +0000 (09:49 +0100)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 19 Mar 2020 08:49:13 +0000 (09:49 +0100)
diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst

index d84009b71e5edbb46bcf1e69a7624121871b70c9..d1d2d7b88779f6b3587ba33a53bf846f70cc11a0 100644 (file)
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -111,6 +111,20 @@ The named variant of that example would be::
  
      ip_proto:PIM
  
+ipv4.hdr
+^^^^^^^^
+
+Sticky buffer to match on the whole IPv4 header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert ip any any -> any any (:example-rule-emphasis:`ipv4.hdr; content:"|3A|"; offset:9; depth:1;` sid:1234; rev:5;)
+
+This example looks if byte 9 of IPv4 header has value 3A.
+That means that the IPv4 protocol is ICMPv6.
+
  ipv6.hdr
  ^^^^^^^^
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 12 Mar 2020 08:11:52 +0000 (09:11 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 19 Mar 2020 08:49:13 +0000 (09:49 +0100)