doc: add ip.dst and ip.src doc

diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst
index b83bee336d3ab19b1c7855ecc61f11546cc98352..68a7e3f7ae6147c2056acbf76446d3fb467eb158 100644 (file)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -37,6 +37,7 @@ Suricata Rules
    xbits
    thresholding
    ip-reputation-rules
+   ipaddr
    config
    datasets
    lua-detection

diff --git a/doc/userguide/rules/ipaddr.rst b/doc/userguide/rules/ipaddr.rst
new file mode 100644 (file)
index 0000000..a42657f
--- /dev/null
+++ b/doc/userguide/rules/ipaddr.rst
@@ -0,0 +1,29 @@
+IP Addresses Match
+==================
+
+Matching on IP addresses can be done via the IP tuple parameters or via the iprep keywords (see :doc:`/rules/ip-reputation-rules`).
+Some keywords providing interaction with datasets are also available.
+
+ip.src
+------
+
+The `ip.src` keyword is a sticky buffer to match on source IP address. It matches on the binary representation
+and is compatible with datasets of types `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound bad list"; flow:to_server; ip.src; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)
+
+ip.dst
+------
+
+The `ip.dst` keyword is a sticky buffer to match on destination IP address. It matches on the binary representation
+and is compatible with the dataset of type `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $HOME_NET any -> any any (msg:"Outbound bad list"; flow:to_server; ip.dst; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)