]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: da86635)
doc/byte_test: Document byte_test variable usage
authorJeff Lucovsky <jlucovsky@oisf.net>
Fri, 7 Jul 2023 14:34:08 +0000 (10:34 -0400)
committerVictor Julien <vjulien@oisf.net>
Mon, 10 Jul 2023 07:27:03 +0000 (09:27 +0200)
Issue: 6144

This commit updates the byte_test documentation now that a variable name
can be used for the nbytes value.

doc/userguide/rules/differences-from-snort.rst patch | blob | blame | history
doc/userguide/rules/payload-keywords.rst patch | blob | blame | history

diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst
index db5691256856922447b8d4d3b6209502c1853bb9..56da32dc84bd82d041809c0160b66217f6933d10 100644 (file)
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -278,6 +278,13 @@ See :doc:`http-keywords` for all HTTP keywords.
 
 - Suricata will never match if there's a zero divisor. Division by 0 is undefined.
 
+``byte_test`` Keyword
+---------------------
+
+- Suricata allows a variable name from ``byte_extract`` or ``byte_math``
+  to be specified for the ``nbytes`` value. The value of ``nbytes`` must adhere
+  to the same constraints as though a value was directly supplied by the rule.
+
 
 ``isdataat`` Keyword
 --------------------
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index f55d9958a6607b12153af36e1ba341a81b10afc9..0622114c8fc27d6116732d148f4fcde4f560a82d 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -368,13 +368,14 @@ and the final result will be right shifted one bit for each trailing ``0`` in
 the ``<bitmask value>``.
 
 Format::
-  
-  byte_test:<num of bytes>, [!]<operator>, <test value>, <offset> [,relative] \
-  [,<endian>][, string, <num type>][, dce][, bitmask <bitmask value>]; 
+
+  byte_test:<num of bytes> | <variable_name>, [!]<operator>, <test value>, <offset> [,relative] \
+  [,<endian>][, string, <num type>][, dce][, bitmask <bitmask value>];
 
 
 +----------------+------------------------------------------------------------------------------+
 | <num of bytes> | The number of bytes selected from the packet to be converted                        |
+|                | or the name of a byte_extract/byte_math variable.                           |
 +----------------+------------------------------------------------------------------------------+
 | <operator>    |                                                                              |
 |               | - [!] Negation can prefix other operators                                    |
Mirror of https://github.com/OISF/suricata.git