doc: use the ldap protocol in rule examples in the LDAP keywords documentation

diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst
index 60c01af726b204a37cb2cf31fc66352c610e7373..b839f4f7a0bc7665df66a346c6a9c18c3fd20fbf 100644 (file)
--- a/doc/userguide/rules/ldap-keywords.rst
+++ b/doc/userguide/rules/ldap-keywords.rst
@@ -61,11 +61,11 @@ Example of a signatures that would alert if the packet has an LDAP bind request
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;)
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;)
 
 ldap.responses.operation
 ------------------------
@@ -104,23 +104,23 @@ Example of a signatures that would alert if the packet has an LDAP bind response
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;)
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;)
 
 Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;)
 
 Example of a signature that would alert if all the responses are of type search_result_entry:
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;)
 
 The keyword ldap.responses.operation supports back to front indexing with negative numbers,
 this means that -1 will represent the last index, -2 the second to last index, and so on.
@@ -128,7 +128,7 @@ This is an example of a signature that would alert if a search_result_entry resp
 
 .. container:: example-rule
 
-  alert tcp any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;)
+  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;)
 
 ldap.responses.count
 --------------------
@@ -156,10 +156,10 @@ Example of a signature that would alert if a packet has 0 LDAP responses:
 
 .. container:: example-rule
 
-  alert ip any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;)
+  alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;)
 
 Example of a signature that would alert if a packet has more than 2 LDAP responses:
 
 .. container:: example-rule
 
-  alert ip any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;)
+  alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;)