doc: add note about big endian for icmp_seq match

author jason taylor <jtfas90@gmail.com>

Tue, 3 Sep 2024 18:13:08 +0000 (14:13 -0400)

committer Victor Julien <victor@inliniac.net>

Fri, 20 Sep 2024 09:49:13 +0000 (11:49 +0200)
author jason taylor <jtfas90@gmail.com>
Tue, 3 Sep 2024 18:13:08 +0000 (14:13 -0400)
committer Victor Julien <victor@inliniac.net>
Fri, 20 Sep 2024 09:49:13 +0000 (11:49 +0200)
diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst

index e28b14e28315306c3f8c325d6c94f112aeacbb2e..a6837d73cf5e0124577a5e8aeb17f8bb34605f12 100644 (file)
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -711,6 +711,12 @@ Example of icmp_seq in a rule:
  
      alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
  
+.. note:: Some pcap analysis tools, like wireshark, may give both a little
+  endian and big endian value for ``icmp_seq``. The ``icmp_seq`` keyword
+  matches on the big endian value, this is due to Suricata using the network
+  byte order (big endian) to perform the match comparison.
+
+
  icmpv4.hdr
  ^^^^^^^^^^
author	jason taylor <jtfas90@gmail.com>
	Tue, 3 Sep 2024 18:13:08 +0000 (14:13 -0400)
committer	Victor Julien <victor@inliniac.net>
	Fri, 20 Sep 2024 09:49:13 +0000 (11:49 +0200)