DHCP lease time (integer).
+dhcp.leasetime uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
dhcp.leasetime:[op]<number>
DHCP rebinding time (integer).
+dhcp.rebinding_time uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
dhcp.rebinding_time:[op]<number>
DHCP renewal time (integer).
+dhcp.renewal_time uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
dhcp.renewal_time:[op]<number>
Match on the size of the file as it is being transferred.
+filesize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
filesize:<value>;
Flow age in seconds (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
+flow.age uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
Syntax::
flow.age: [op]<number>
Flow number of packets to client (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
+flow.pkts_toclient uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
Syntax::
flow.pkts_toclient: [op]<number>
Flow number of packets to server (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
+flow.pkts_toserver uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
Syntax::
flow.pkts_toserver: [op]<number>
Flow number of bytes to client (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
+flow.bytes_toclient uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
flow.bytes_toclient: [op]<number>
Flow number of bytes to server (integer)
This keyword does not wait for the end of the flow, but will be checked at each packet.
+flow.bytes_toserver uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
Syntax::
flow.bytes_toserver: [op]<number>
ttl:10;
+ttl uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
At the end of the ttl keyword you can enter the value on which you
want to match. The Time-to-live value determines the maximal amount
of time a packet can be in the Internet-system. If this field is set
Match on the TCP MSS option value. Will not match if the option is not
present.
+tcp.mss uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
+
The format of the keyword::
tcp.mss:<min>-<max>;
more important by numeric values. For more information see the table
with message-types and codes.
+itype uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
The format of the itype keyword::
itype:min<>max;
ICMP-type it indicates with what kind of problem you are dealing with.
A code has a different purpose with every ICMP-type.
+icode uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
The format of the icode keyword::
icode:min<>max;
Match on the ICMPv6 MTU optional value. Will not match if the MTU is not
present.
+icmpv6.mtu uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
The format of the keyword::
icmpv6.mtu:<min>-<max>;
URI. It is possible to use the ``<`` and ``>`` operators, which
indicate respectively *smaller than* and *larger than*.
+urilen uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
The format of ``urilen`` is::
urilen:3;
Match on the value of the HTTP2 priority field present in a PRIORITY or HEADERS frame.
+http2.priority uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
Match on the value of the HTTP2 value field present in a WINDOWUPDATE frame.
+http2.window uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
More information on the protocol can be found here:
`<https://tools.ietf.org/html/rfc7541#section-6.3>`_
+http2.size_update uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
Match on the value of the Exchange Type.
+ike.exchtype uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
Match against the length of the public key exchange payload (e.g. Diffie-Hellman) of the server or client.
+ike.key_exchange_payload_length uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
Match against the length of the nonce of the server or client.
+ike.nonce_payload_length uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
meta
header-keywords
payload-keywords
+ integer-keywords
transforms
prefilter-keywords
flow-keywords
--- /dev/null
+.. _rules-integer-keywords:
+
+Integer Keywords
+================
+
+Many keywords will match on an integer value on the network traffic.
+These are unsigned integers that can be 8, 16, 32 or 64 bits.
+
+Simple example::
+
+ bsize:integer value;
+
+The integer value can be written as base-10 like ``100`` or as
+an hexadecimal value like ``0x64``.
+
+The most direct example is to match for equality, but there are
+different modes.
+
+Comparison modes
+----------------
+
+Integers can be matched for
+* Equality
+* Inequality
+* Greater than
+* Less than
+* Range
+* Negated range
+* Bitmask
+* Negated Bitmask
+
+.. note::
+
+ Comparisons are strict by default. Ranges are thus exclusive.
+ That means a range between 1 and 4 will match 2 and 3, but neither 1 nor 4.
+ Negated range !1-4 will match for 1 or below and for 4 or above.
+
+Examples::
+
+ bsize:19; # equality
+ bsize:=0x13; # equality
+ bsize:!0x14; # inequality
+ bsize:!=20; # inequality
+ bsize:>21; # greater than
+ bsize:>=21; # greater than or equal
+ bsize:<22; # lesser than
+ bsize:<=22; # lesser than or equal
+ bsize:19-22; # range between value1 and value2
+ bsize:!19-22; # negated range between value1 and value2
+ bsize:&0xc0=0x80; # bitmask mask is compared to value for equality
+ bsize:&0xc0!=0; # bitmask mask is compared to value for inequality
+
+Enumerations
+------------
+
+Some integers on the wire represent an enumeration, that is, some values
+have a string/meaning associated to it.
+Rules can be written using one of these strings to check for equality.
+This is meant to make rules more human-readable and equivalent for matching.
+
+Examples::
+
+ websocket.opcode:text;
+ websocket.opcode:1; # behaves the same
+
+Bitmasks
+--------
+
+Some integers on the wire represent multiple bits.
+Some of these bits have a string/meaning associated to it.
+Rules can be written using a list (comma-separated) of these strings,
+where each item can be negated.
+
+Examples::
+
+ websocket.flags:fin,!comp;
+ websocket.flags:&0xc0=0x80; # behaves the same
Match on the value of the MQTT protocol version field in the fixed header.
+mqtt.protocol_version uses an :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
+
The format of the keyword::
mqtt.protocol_version:<min>-<max>;
With the ``bsize`` keyword, you can match on the length of the buffer. This adds
precision to the content match, previously this could have been done with ``isdataat``.
+bsize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
+
An optional operator can be specified; if no operator is present, the operator will
default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range),
the bsize value will be compared using the relational operator. Ranges are inclusive.
dsize cannot be used when using app/streamlayer protocol keywords (i.e. http.uri)
+dsize uses an :ref:`unsigned 16-bit integer <rules-integer-keywords>`.
+
Format::
dsize:[<>!]number; || dsize:min<>max;
Match on the value of the RFB security type field, e.g. ``2`` for VNC challenge-response authentication, ``0`` for no authentication, and ``30`` for Apple's custom Remote Desktop authentication.
+rfb.sectype uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
This keyword takes a numeric argument after a colon and supports additional qualifiers, such as:
* ``>`` (greater than)
Matches on the TLS certificate chain length.
+tls.cert_chain_len uses an :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
+
tls.cert_chain_len supports `<, >, <>, !` and using an exact value.
Example::
projects / thirdparty / suricata.git / commitdiff
