void DetectAppLayerEventRegister(void)
{
sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
+ sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "Match on events generated by the App Layer Parsers and the protocol detection engine.";
+ sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = DOC_URL DOC_VERSION "/rules/app-layer.html#app-layer-event";
sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Match =
DetectAppLayerEventPktMatch;
sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetupP1;
void DetectAppLayerProtocolRegister(void)
{
sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
+ sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "Match on the detected app-layer protocol.";
+ sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = DOC_URL DOC_VERSION "/rules/app-layer.html#app-layer-protocol";
sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Match =
DetectAppLayerProtocolPacketMatch;
sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Setup =
void DetectByteExtractRegister(void)
{
sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
+ sigmatch_table[DETECT_BYTE_EXTRACT].desc = "Extract <num of bytes> at a particular <offset> and store it in <var_name>.";
+ sigmatch_table[DETECT_BYTE_EXTRACT].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#byte-extract";
sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
void DetectBytejumpRegister (void)
{
sigmatch_table[DETECT_BYTEJUMP].name = "byte_jump";
+ sigmatch_table[DETECT_BYTEJUMP].desc = "Allow the ability to select a <num of bytes> from an <offset> and move the detection pointer to that position.";
+ sigmatch_table[DETECT_BYTEJUMP].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#byte-jump";
sigmatch_table[DETECT_BYTEJUMP].Match = DetectBytejumpMatch;
sigmatch_table[DETECT_BYTEJUMP].Setup = DetectBytejumpSetup;
sigmatch_table[DETECT_BYTEJUMP].Free = DetectBytejumpFree;
void DetectBytetestRegister (void)
{
sigmatch_table[DETECT_BYTETEST].name = "byte_test";
+ sigmatch_table[DETECT_BYTETEST].desc = "Extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>.";
+ sigmatch_table[DETECT_BYTETEST].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#byte-test";
sigmatch_table[DETECT_BYTETEST].Match = DetectBytetestMatch;
sigmatch_table[DETECT_BYTETEST].Setup = DetectBytetestSetup;
sigmatch_table[DETECT_BYTETEST].Free = DetectBytetestFree;
{
SCEnter();
sigmatch_table[DETECT_CIPSERVICE].name = "cip_service"; //rule keyword
- sigmatch_table[DETECT_CIPSERVICE].desc = "Rules for detecting CIP Service ";
+ sigmatch_table[DETECT_CIPSERVICE].desc = "Match on CIP Service.";
+ sigmatch_table[DETECT_CIPSERVICE].url = DOC_URL DOC_VERSION "/rules/enip-keyword.html#enip-cip-keywords";
sigmatch_table[DETECT_CIPSERVICE].Match = NULL;
sigmatch_table[DETECT_CIPSERVICE].Setup = DetectCipServiceSetup;
sigmatch_table[DETECT_CIPSERVICE].Free = DetectCipServiceFree;
{
sigmatch_table[DETECT_ENIPCOMMAND].name = "enip_command"; //rule keyword
sigmatch_table[DETECT_ENIPCOMMAND].desc
- = "Rules for detecting EtherNet/IP command";
+ = "Rules for detecting EtherNet/IP command.";
+ sigmatch_table[DETECT_ENIPCOMMAND].url = DOC_URL DOC_VERSION "/rules/enip-keyword.html#enip-cip-keywords";
sigmatch_table[DETECT_ENIPCOMMAND].Match = NULL;
sigmatch_table[DETECT_ENIPCOMMAND].Setup = DetectEnipCommandSetup;
sigmatch_table[DETECT_ENIPCOMMAND].Free = DetectEnipCommandFree;
void DetectClasstypeRegister(void)
{
sigmatch_table[DETECT_CLASSTYPE].name = "classtype";
- sigmatch_table[DETECT_CLASSTYPE].desc = "information about the classification of rules and alerts";
+ sigmatch_table[DETECT_CLASSTYPE].desc = "Information about the classification of rules and alerts.";
sigmatch_table[DETECT_CLASSTYPE].url = DOC_URL DOC_VERSION "/rules/meta.html#classtype";
sigmatch_table[DETECT_CLASSTYPE].Match = NULL;
sigmatch_table[DETECT_CLASSTYPE].Setup = DetectClasstypeSetup;
void DetectContentRegister (void)
{
sigmatch_table[DETECT_CONTENT].name = "content";
- sigmatch_table[DETECT_CONTENT].desc = "match on payload content";
+ sigmatch_table[DETECT_CONTENT].desc = "Match on payload content.";
sigmatch_table[DETECT_CONTENT].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#content";
sigmatch_table[DETECT_CONTENT].Match = NULL;
sigmatch_table[DETECT_CONTENT].Setup = DetectContentSetup;
void DetectDepthRegister (void)
{
sigmatch_table[DETECT_DEPTH].name = "depth";
- sigmatch_table[DETECT_DEPTH].desc = "designate how many bytes from the beginning of the payload will be checked";
+ sigmatch_table[DETECT_DEPTH].desc = "Designate how many bytes from the beginning of the payload will be checked.";
sigmatch_table[DETECT_DEPTH].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#depth";
sigmatch_table[DETECT_DEPTH].Match = NULL;
sigmatch_table[DETECT_DEPTH].Setup = DetectDepthSetup;
sigmatch_table[DETECT_AL_DNP3FUNC].name = "dnp3_func";
sigmatch_table[DETECT_AL_DNP3FUNC].alias = "dnp3.func";
+ sigmatch_table[DETECT_AL_DNP3FUNC].desc = "Match on the application function code found in DNP3 request and responses.";
+ sigmatch_table[DETECT_AL_DNP3FUNC].url = DOC_URL DOC_VERSION "/rules/dnp3-keywords.html#dnp3-func";
sigmatch_table[DETECT_AL_DNP3FUNC].Match = NULL;
sigmatch_table[DETECT_AL_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
sigmatch_table[DETECT_AL_DNP3FUNC].Setup = DetectDNP3FuncSetup;
sigmatch_table[DETECT_AL_DNP3IND].name = "dnp3_ind";
sigmatch_table[DETECT_AL_DNP3IND].alias = "dnp3.ind";
+ sigmatch_table[DETECT_AL_DNP3IND].desc = "Match on the DNP3 internal indicator flags in the response application header.";
+ sigmatch_table[DETECT_AL_DNP3IND].url = DOC_URL DOC_VERSION "/rules/dnp3-keywords.html#dnp3-ind";
sigmatch_table[DETECT_AL_DNP3IND].Match = NULL;
sigmatch_table[DETECT_AL_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
sigmatch_table[DETECT_AL_DNP3IND].Setup = DetectDNP3IndSetup;
sigmatch_table[DETECT_AL_DNP3OBJ].name = "dnp3_obj";
sigmatch_table[DETECT_AL_DNP3OBJ].alias = "dnp3.obj";
+ sigmatch_table[DETECT_AL_DNP3OBJ].desc = "Match on the DNP3 application data objects.";
+ sigmatch_table[DETECT_AL_DNP3OBJ].url = DOC_URL DOC_VERSION "/rules/dnp3-keywords.html#dnp3-obj";
sigmatch_table[DETECT_AL_DNP3OBJ].Match = NULL;
sigmatch_table[DETECT_AL_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
sigmatch_table[DETECT_AL_DNP3OBJ].Setup = DetectDNP3ObjSetup;
sigmatch_table[DETECT_AL_DNP3DATA].name = "dnp3.data";
sigmatch_table[DETECT_AL_DNP3DATA].alias = "dnp3_data";
+ sigmatch_table[DETECT_AL_DNP3DATA].desc = "Make the following content options to match on the re-assembled application buffer.";
+ sigmatch_table[DETECT_AL_DNP3DATA].url = DOC_URL DOC_VERSION "/rules/dnp3-keywords.html#dnp3-data";
sigmatch_table[DETECT_AL_DNP3DATA].Setup = DetectDNP3DataSetup;
sigmatch_table[DETECT_AL_DNP3DATA].RegisterTests =
DetectDNP3DataRegisterTests;
{
sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query";
- sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
+ sigmatch_table[DETECT_AL_DNS_QUERY].desc = "Sticky buffer to match DNS query-buffer.";
+ sigmatch_table[DETECT_AL_DNS_QUERY].url = DOC_URL DOC_VERSION "/rules/dns-keywords.html#dns-query";
sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
void DetectDsizeRegister (void)
{
sigmatch_table[DETECT_DSIZE].name = "dsize";
- sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
+ sigmatch_table[DETECT_DSIZE].desc = "Match on the size of the packet payload.";
sigmatch_table[DETECT_DSIZE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#dsize";
sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
void DetectFlowRegister (void)
{
sigmatch_table[DETECT_FLOW].name = "flow";
- sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
+ sigmatch_table[DETECT_FLOW].desc = "Match on direction and state of the flow.";
sigmatch_table[DETECT_FLOW].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flow";
sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
void DetectFragBitsRegister (void)
{
sigmatch_table[DETECT_FRAGBITS].name = "fragbits";
- sigmatch_table[DETECT_FRAGBITS].desc = "check if the fragmentation and reserved bits are set in the IP header";
+ sigmatch_table[DETECT_FRAGBITS].desc = "Check if the fragmentation and reserved bits are set in the IP header.";
sigmatch_table[DETECT_FRAGBITS].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#fragbits-ip-fragmentation";
sigmatch_table[DETECT_FRAGBITS].Match = DetectFragBitsMatch;
sigmatch_table[DETECT_FRAGBITS].Setup = DetectFragBitsSetup;
void DetectFragOffsetRegister (void)
{
sigmatch_table[DETECT_FRAGOFFSET].name = "fragoffset";
- sigmatch_table[DETECT_FRAGOFFSET].desc = "match on specific decimal values of the IP fragment offset field";
+ sigmatch_table[DETECT_FRAGOFFSET].desc = "Match on specific decimal values of the IP fragment offset field.";
sigmatch_table[DETECT_FRAGOFFSET].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#fragoffset";
sigmatch_table[DETECT_FRAGOFFSET].Match = DetectFragOffsetMatch;
sigmatch_table[DETECT_FRAGOFFSET].Setup = DetectFragOffsetSetup;
void DetectFtpbounceRegister(void)
{
sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
+ sigmatch_table[DETECT_FTPBOUNCE].desc = "Detect FTP bounce attacks.";
sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
void DetectGeoipRegister(void)
{
sigmatch_table[DETECT_GEOIP].name = "geoip";
+ sigmatch_table[DETECT_GEOIP].desc = "Match on the source, destination or source and destination IP addresses of network traffic, and to see to which country it belongs.";
+ sigmatch_table[DETECT_GEOIP].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#geoip";
sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetupNoSupport;
sigmatch_table[DETECT_GEOIP].Free = NULL;
sigmatch_table[DETECT_GEOIP].RegisterTests = NULL;
{
/* http_header content modifier */
sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
- sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
+ sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "Content modifier to match only on the HTTP header-buffer.";
sigmatch_table[DETECT_AL_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
#ifdef UNITTESTS
/* http.header sticky buffer */
sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
- sigmatch_table[DETECT_HTTP_HEADER].desc = "sticky buffer to match on the normalized HTTP header-buffer";
- sigmatch_table[DETECT_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header";
+ sigmatch_table[DETECT_HTTP_HEADER].desc = "Sticky buffer to match on the normalized HTTP header-buffer.";
+ sigmatch_table[DETECT_HTTP_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
sigmatch_table[DETECT_HTTP_HEADER].Setup = DetectHttpHeaderSetupSticky;
sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_HTTP_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
{
/* http_host content modifier */
sigmatch_table[DETECT_AL_HTTP_HOST].name = "http_host";
- sigmatch_table[DETECT_AL_HTTP_HOST].desc = "content modifier to match on the HTTP hostname";
+ sigmatch_table[DETECT_AL_HTTP_HOST].desc = "Content modifier to match on the HTTP hostname.";
+ sigmatch_table[DETECT_AL_HTTP_HOST].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host-and-http-raw-host";
sigmatch_table[DETECT_AL_HTTP_HOST].Setup = DetectHttpHHSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_HOST].RegisterTests = DetectHttpHHRegisterTests;
/* http.host sticky buffer */
sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
- sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";
- sigmatch_table[DETECT_HTTP_HOST].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host";
+ sigmatch_table[DETECT_HTTP_HOST].desc = "Sticky buffer to match on the HTTP Host buffer.";
+ sigmatch_table[DETECT_HTTP_HOST].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host-and-http-raw-host";
sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;
sigmatch_table[DETECT_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
/* http_raw_host content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].name = "http_raw_host";
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header or the raw hostname from the HTTP uri";
+ sigmatch_table[DETECT_AL_HTTP_RAW_HOST].desc = "Content modifier to match on the HTTP host header or the raw hostname from the HTTP uri.";
+ sigmatch_table[DETECT_AL_HTTP_RAW_HOST].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host-and-http-raw-host";
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
sigmatch_table[DETECT_AL_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;
/* http.host sticky buffer */
sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
- sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";
- sigmatch_table[DETECT_HTTP_HOST_RAW].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host";
+ sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "Sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri.";
+ sigmatch_table[DETECT_HTTP_HOST_RAW].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-host-and-http-raw-host";
sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;
sigmatch_table[DETECT_HTTP_HOST_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
{
/* http_raw_header content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].desc = "content modifier to match the raw HTTP header buffer";
+ sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].desc = "Content modifier to match the raw HTTP header buffer.";
+ sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
/* http.header.raw sticky buffer */
sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
- sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
- sigmatch_table[DETECT_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-raw-header";
+ sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "Sticky buffer to match the raw HTTP header buffer.";
+ sigmatch_table[DETECT_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-header-and-http-raw-header";
sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
/* http.stat_code content modifier */
sigmatch_table[DETECT_HTTP_STAT_CODE].name = "http.stat_code";
sigmatch_table[DETECT_HTTP_STAT_CODE].desc = "sticky buffer to match only on HTTP stat-code-buffer";
- sigmatch_table[DETECT_HTTP_STAT_CODE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-code";
+ sigmatch_table[DETECT_HTTP_STAT_CODE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-stat-code";
sigmatch_table[DETECT_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetupSticky;
sigmatch_table[DETECT_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
{
/* http_stat_msg content modifier */
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
+ sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "Content modifier to match on HTTP stat-msg-buffer.";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-stat-msg";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
#ifdef UNITTESTS
/* http.stat_msg sticky buffer */
sigmatch_table[DETECT_HTTP_STAT_MSG].name = "http.stat_msg";
- sigmatch_table[DETECT_HTTP_STAT_MSG].desc = "sticky buffer to match on the HTTP response status message";
- sigmatch_table[DETECT_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg";
+ sigmatch_table[DETECT_HTTP_STAT_MSG].desc = "Sticky buffer to match on the HTTP response status message.";
+ sigmatch_table[DETECT_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-stat-msg";
sigmatch_table[DETECT_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetupSticky;
sigmatch_table[DETECT_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
{
/* http_uri content modifier */
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
- sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
+ sigmatch_table[DETECT_AL_HTTP_URI].desc = "Content modifier to match specifically and only on the HTTP uri-buffer.";
sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
#ifdef UNITTESTS
/* http.uri sticky buffer */
sigmatch_table[DETECT_HTTP_URI].name = "http.uri";
sigmatch_table[DETECT_HTTP_URI].alias = "http.uri.normalized";
- sigmatch_table[DETECT_HTTP_URI].desc = "sticky buffer to match specifically and only on the normalized HTTP URI buffer";
- sigmatch_table[DETECT_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
+ sigmatch_table[DETECT_HTTP_URI].desc = "Sticky buffer to match specifically and only on the normalized HTTP URI buffer.";
+ sigmatch_table[DETECT_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
sigmatch_table[DETECT_HTTP_URI].Setup = DetectHttpUriSetupSticky;
sigmatch_table[DETECT_HTTP_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
/* http_raw_uri content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri";
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri";
+ sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "Content modifier to match on the raw HTTP uri.";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
/* http.uri.raw sticky buffer */
sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw";
- sigmatch_table[DETECT_HTTP_URI_RAW].desc = "sticky buffer to match specifically and only on the raw HTTP URI buffer";
- sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
+ sigmatch_table[DETECT_HTTP_URI_RAW].desc = "Sticky buffer to match specifically and only on the raw HTTP URI buffer.";
+ sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
sigmatch_table[DETECT_HTTP_URI_RAW].Setup = DetectHttpRawUriSetupSticky;
sigmatch_table[DETECT_HTTP_URI_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
void DetectIcmpIdRegister (void)
{
sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
- sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP id";
+ sigmatch_table[DETECT_ICMP_ID].desc = "Check for a ICMP ID.";
sigmatch_table[DETECT_ICMP_ID].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-id";
sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
void DetectIcmpSeqRegister (void)
{
sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq";
- sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number";
+ sigmatch_table[DETECT_ICMP_SEQ].desc = "Check for a ICMP sequence number.";
sigmatch_table[DETECT_ICMP_SEQ].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-seq";
sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch;
sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup;
void DetectICodeRegister (void)
{
sigmatch_table[DETECT_ICODE].name = "icode";
- sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value";
+ sigmatch_table[DETECT_ICODE].desc = "Match on specific ICMP id-value.";
sigmatch_table[DETECT_ICODE].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icode";
sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch;
sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup;
void DetectIpOptsRegister (void)
{
sigmatch_table[DETECT_IPOPTS].name = "ipopts";
- sigmatch_table[DETECT_IPOPTS].desc = "check if a specific IP option is set";
+ sigmatch_table[DETECT_IPOPTS].desc = "Check if a specific IP option is set.";
sigmatch_table[DETECT_IPOPTS].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#ipopts";
sigmatch_table[DETECT_IPOPTS].Match = DetectIpOptsMatch;
sigmatch_table[DETECT_IPOPTS].Setup = DetectIpOptsSetup;
void DetectIPRepRegister (void)
{
sigmatch_table[DETECT_IPREP].name = "iprep";
+ sigmatch_table[DETECT_IPREP].desc = "Match on the IP reputation information for a host.";
+ sigmatch_table[DETECT_IPREP].url = DOC_URL DOC_VERSION "/rules/ip-reputation-rules.html#iprep";
sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree;
void DetectITypeRegister (void)
{
sigmatch_table[DETECT_ITYPE].name = "itype";
- sigmatch_table[DETECT_ITYPE].desc = "matching on a specific ICMP type";
+ sigmatch_table[DETECT_ITYPE].desc = "Match on a specific ICMP type.";
sigmatch_table[DETECT_ITYPE].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#itype";
sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch;
sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup;
{
sigmatch_table[DETECT_AL_KRB5_CNAME].name = "krb5.cname";
sigmatch_table[DETECT_AL_KRB5_CNAME].alias = "krb5_cname";
+ sigmatch_table[DETECT_AL_KRB5_CNAME].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5-cname";
sigmatch_table[DETECT_AL_KRB5_CNAME].Setup = DetectKrb5CNameSetup;
sigmatch_table[DETECT_AL_KRB5_CNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
- sigmatch_table[DETECT_AL_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name";
+ sigmatch_table[DETECT_AL_KRB5_CNAME].desc = "Sticky buffer to match on Kerberos 5 client name.";
DetectAppLayerMpmRegister2("krb5_cname", SIG_FLAG_TOCLIENT, 2,
PrefilterMpmKrb5CNameRegister, NULL,
*/
void DetectKrb5ErrCodeRegister(void) {
sigmatch_table[DETECT_AL_KRB5_ERRCODE].name = "krb5_err_code";
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "match Kerberos 5 message type";
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5_err_code";
+ sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "Match Kerberos 5 error code.";
+ sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5-err-code";
sigmatch_table[DETECT_AL_KRB5_ERRCODE].Match = NULL;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup;
*/
void DetectKrb5MsgTypeRegister(void) {
sigmatch_table[DETECT_AL_KRB5_MSGTYPE].name = "krb5_msg_type";
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].desc = "match Kerberos 5 message type";
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5_msg_type";
+ sigmatch_table[DETECT_AL_KRB5_MSGTYPE].desc = "Match Kerberos 5 message type.";
+ sigmatch_table[DETECT_AL_KRB5_MSGTYPE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5-msg-type";
sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Match = NULL;
sigmatch_table[DETECT_AL_KRB5_MSGTYPE].AppLayerTxMatch = DetectKrb5MsgTypeMatch;
sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Setup = DetectKrb5MsgTypeSetup;
{
sigmatch_table[DETECT_AL_KRB5_SNAME].name = "krb5.sname";
sigmatch_table[DETECT_AL_KRB5_SNAME].alias = "krb5_sname";
+ sigmatch_table[DETECT_AL_KRB5_SNAME].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5-sname";
sigmatch_table[DETECT_AL_KRB5_SNAME].Setup = DetectKrb5SNameSetup;
sigmatch_table[DETECT_AL_KRB5_SNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
- sigmatch_table[DETECT_AL_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name";
+ sigmatch_table[DETECT_AL_KRB5_SNAME].desc = "Sticky buffer to match on Kerberos 5 server name.";
DetectAppLayerMpmRegister2("krb5_sname", SIG_FLAG_TOCLIENT, 2,
PrefilterMpmKrb5SNameRegister, NULL,
{
sigmatch_table[DETECT_LUA].name = "lua";
sigmatch_table[DETECT_LUA].alias = "luajit";
+ sigmatch_table[DETECT_LUA].desc = "Support for lua scripting.";
+ sigmatch_table[DETECT_LUA].url = DOC_URL DOC_VERSION "/rules/rule-lua-scripting.html";
sigmatch_table[DETECT_LUA].Setup = DetectLuaSetupNoSupport;
sigmatch_table[DETECT_LUA].Free = NULL;
sigmatch_table[DETECT_LUA].RegisterTests = NULL;
void DetectMetadataRegister (void)
{
sigmatch_table[DETECT_METADATA].name = "metadata";
- sigmatch_table[DETECT_METADATA].desc = "used by suricata for logging";
+ sigmatch_table[DETECT_METADATA].desc = "Used for logging.";
sigmatch_table[DETECT_METADATA].url = DOC_URL DOC_VERSION "/rules/meta.html#metadata";
sigmatch_table[DETECT_METADATA].Match = NULL;
sigmatch_table[DETECT_METADATA].Setup = DetectMetadataSetup;
{
SCEnter();
sigmatch_table[DETECT_AL_MODBUS].name = "modbus";
+ sigmatch_table[DETECT_AL_MODBUS].desc = "Match on various properties of Modbus requests.";
+ sigmatch_table[DETECT_AL_MODBUS].url = DOC_URL DOC_VERSION "/rules/modbus-keyword.html#modbus-keyword";
sigmatch_table[DETECT_AL_MODBUS].Match = NULL;
sigmatch_table[DETECT_AL_MODBUS].Setup = DetectModbusSetup;
sigmatch_table[DETECT_AL_MODBUS].Free = DetectModbusFree;
void DetectMsgRegister (void)
{
sigmatch_table[DETECT_MSG].name = "msg";
- sigmatch_table[DETECT_MSG].desc = "information about the rule and the possible alert";
+ sigmatch_table[DETECT_MSG].desc = "Information about the rule and the possible alert.";
sigmatch_table[DETECT_MSG].url = DOC_URL DOC_VERSION "/rules/meta.html#msg-message";
sigmatch_table[DETECT_MSG].Match = NULL;
sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;
void DetectNoalertRegister (void)
{
sigmatch_table[DETECT_NOALERT].name = "noalert";
+ sigmatch_table[DETECT_NOALERT].desc = "No alert will be generated by the rule.";
+ sigmatch_table[DETECT_NOALERT].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html";
sigmatch_table[DETECT_NOALERT].Match = NULL;
sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup;
sigmatch_table[DETECT_NOALERT].Free = NULL;
void DetectPcreRegister (void)
{
sigmatch_table[DETECT_PCRE].name = "pcre";
- sigmatch_table[DETECT_PCRE].desc = "match on regular expression";
+ sigmatch_table[DETECT_PCRE].desc = "Match on regular expression.";
sigmatch_table[DETECT_PCRE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions";
sigmatch_table[DETECT_PCRE].Match = NULL;
sigmatch_table[DETECT_PCRE].Setup = DetectPcreSetup;
void DetectPrefilterRegister(void)
{
sigmatch_table[DETECT_PREFILTER].name = "prefilter";
- sigmatch_table[DETECT_PREFILTER].desc = "force a condition to be used as prefilter";
- sigmatch_table[DETECT_PREFILTER].url = "/rules/prefilter-keywords.html#prefilter";
+ sigmatch_table[DETECT_PREFILTER].desc = "Force a condition to be used as prefilter.";
+ sigmatch_table[DETECT_PREFILTER].url = DOC_URL DOC_VERSION "/rules/prefilter-keywords.html#prefilter";
sigmatch_table[DETECT_PREFILTER].Match = NULL;
sigmatch_table[DETECT_PREFILTER].Setup = DetectPrefilterSetup;
sigmatch_table[DETECT_PREFILTER].Free = NULL;
void DetectPriorityRegister (void)
{
sigmatch_table[DETECT_PRIORITY].name = "priority";
- sigmatch_table[DETECT_PRIORITY].desc = "rules with a higher priority will be examined first";
+ sigmatch_table[DETECT_PRIORITY].desc = "Rules with a higher priority will be examined first.";
sigmatch_table[DETECT_PRIORITY].url = DOC_URL DOC_VERSION "/rules/meta.html#priority";
sigmatch_table[DETECT_PRIORITY].Match = NULL;
sigmatch_table[DETECT_PRIORITY].Setup = DetectPrioritySetup;
void DetectReferenceRegister(void)
{
sigmatch_table[DETECT_REFERENCE].name = "reference";
- sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
+ sigmatch_table[DETECT_REFERENCE].desc = "Direct to places where information about the rule can be found.";
sigmatch_table[DETECT_REFERENCE].url = DOC_URL DOC_VERSION "/rules/meta.html#reference";
sigmatch_table[DETECT_REFERENCE].Match = NULL;
sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
void DetectReplaceRegister (void)
{
sigmatch_table[DETECT_REPLACE].name = "replace";
+ sigmatch_table[DETECT_REPLACE].desc = "Only to be used in IPS-mode. Change the following content into another.";
+ sigmatch_table[DETECT_REPLACE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#replace";
sigmatch_table[DETECT_REPLACE].Match = DetectReplacePostMatch;
sigmatch_table[DETECT_REPLACE].Setup = DetectReplaceSetup;
sigmatch_table[DETECT_REPLACE].Free = NULL;
void DetectRevRegister (void)
{
sigmatch_table[DETECT_REV].name = "rev";
- sigmatch_table[DETECT_REV].desc = "set version of the rule";
+ sigmatch_table[DETECT_REV].desc = "Set version of the rule.";
sigmatch_table[DETECT_REV].url = DOC_URL DOC_VERSION "/rules/meta.html#rev-revision";
sigmatch_table[DETECT_REV].Match = NULL;
sigmatch_table[DETECT_REV].Setup = DetectRevSetup;
void DetectSidRegister (void)
{
sigmatch_table[DETECT_SID].name = "sid";
- sigmatch_table[DETECT_SID].desc = "set rule id";
+ sigmatch_table[DETECT_SID].desc = "Set rule ID.";
sigmatch_table[DETECT_SID].url = DOC_URL DOC_VERSION "/rules/meta.html#sid-signature-id";
sigmatch_table[DETECT_SID].Match = NULL;
sigmatch_table[DETECT_SID].Setup = DetectSidSetup;
{
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].name = "snmp.community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].desc =
- "SNMP content modififier to match on the SNMP community";
+ "SNMP content modifier to match on the SNMP community.";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].Setup =
DetectSNMPCommunitySetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].RegisterTests = DetectSNMPCommunityRegisterTests;
#endif
- sigmatch_table[DETECT_AL_SNMP_COMMUNITY].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.community";
+ sigmatch_table[DETECT_AL_SNMP_COMMUNITY].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp-community";
sigmatch_table[DETECT_AL_SNMP_COMMUNITY].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
void DetectSNMPPduTypeRegister(void)
{
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].name = "snmp.pdu_type";
- sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].desc = "match SNMP Pdu type";
- sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.pdu_type";
+ sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].desc = "Match SNMP PDU type.";
+ sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp-pdu-type";
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Match = NULL;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].AppLayerTxMatch = DetectSNMPPduTypeMatch;
sigmatch_table[DETECT_AL_SNMP_PDU_TYPE].Setup = DetectSNMPPduTypeSetup;
void DetectSNMPVersionRegister (void)
{
sigmatch_table[DETECT_AL_SNMP_VERSION].name = "snmp.version";
- sigmatch_table[DETECT_AL_SNMP_VERSION].desc = "match SNMP version";
- sigmatch_table[DETECT_AL_SNMP_VERSION].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp.version";
+ sigmatch_table[DETECT_AL_SNMP_VERSION].desc = "Match SNMP version.";
+ sigmatch_table[DETECT_AL_SNMP_VERSION].url = DOC_URL DOC_VERSION "/rules/snmp-keywords.html#snmp-version";
sigmatch_table[DETECT_AL_SNMP_VERSION].Match = NULL;
sigmatch_table[DETECT_AL_SNMP_VERSION].AppLayerTxMatch = DetectSNMPVersionMatch;
sigmatch_table[DETECT_AL_SNMP_VERSION].Setup = DetectSNMPVersionSetup;
void DetectSslStateRegister(void)
{
sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state";
+ sigmatch_table[DETECT_AL_SSL_STATE].desc = "Match the state of the SSL connection.";
+ sigmatch_table[DETECT_AL_SSL_STATE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#ssl-state";
sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
void DetectSslVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
+ sigmatch_table[DETECT_AL_SSL_VERSION].desc = "Match version of SSL/TLS record.";
+ sigmatch_table[DETECT_AL_SSL_VERSION].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#ssl-version";
sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
{
sigmatch_table[DETECT_ACK].name = "tcp.ack";
sigmatch_table[DETECT_ACK].alias = "ack";
- sigmatch_table[DETECT_ACK].desc = "check for a specific TCP acknowledgement number";
+ sigmatch_table[DETECT_ACK].desc = "Check for a specific TCP acknowledgement number.";
sigmatch_table[DETECT_ACK].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#ack";
sigmatch_table[DETECT_ACK].Match = DetectAckMatch;
sigmatch_table[DETECT_ACK].Setup = DetectAckSetup;
{
sigmatch_table[DETECT_SEQ].name = "tcp.seq";
sigmatch_table[DETECT_SEQ].alias = "seq";
- sigmatch_table[DETECT_SEQ].desc = "check for a specific TCP sequence number";
+ sigmatch_table[DETECT_SEQ].desc = "Check for a specific TCP sequence number.";
sigmatch_table[DETECT_SEQ].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#seq";
sigmatch_table[DETECT_SEQ].Match = DetectSeqMatch;
sigmatch_table[DETECT_SEQ].Setup = DetectSeqSetup;
{
sigmatch_table[DETECT_WINDOW].name = "tcp.window";
sigmatch_table[DETECT_WINDOW].alias = "window";
- sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size";
+ sigmatch_table[DETECT_WINDOW].desc = "Check for a specific TCP window size.";
sigmatch_table[DETECT_WINDOW].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#window";
sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
void DetectThresholdRegister(void)
{
sigmatch_table[DETECT_THRESHOLD].name = "threshold";
- sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
+ sigmatch_table[DETECT_THRESHOLD].desc = "Control the rule's alert frequency.";
sigmatch_table[DETECT_THRESHOLD].url = DOC_URL DOC_VERSION "/rules/thresholding.html#threshold";
sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
void DetectTosRegister(void)
{
sigmatch_table[DETECT_TOS].name = "tos";
+ sigmatch_table[DETECT_TOS].desc = "Match on specific decimal values of the IP header TOS field.";
sigmatch_table[DETECT_TOS].Match = DetectTosMatch;
sigmatch_table[DETECT_TOS].Setup = DetectTosSetup;
sigmatch_table[DETECT_TOS].Free = DetectTosFree;
{
sigmatch_table[DETECT_TRANSFORM_MD5].name = "to_md5";
sigmatch_table[DETECT_TRANSFORM_MD5].desc =
- "convert to md5 hash of the buffer";
+ "Convert to md5 hash of the buffer.";
sigmatch_table[DETECT_TRANSFORM_MD5].url =
- DOC_URL DOC_VERSION "/rules/transforms.html#to_sha256";
+ DOC_URL DOC_VERSION "/rules/transforms.html#to-md5";
sigmatch_table[DETECT_TRANSFORM_MD5].Setup =
DetectTransformToMd5Setup;
#ifdef HAVE_NSS
{
sigmatch_table[DETECT_TRANSFORM_SHA1].name = "to_sha1";
sigmatch_table[DETECT_TRANSFORM_SHA1].desc =
- "convert to sha1 hash of the buffer";
+ "Convert to sha1 hash of the buffer.";
sigmatch_table[DETECT_TRANSFORM_SHA1].url =
- DOC_URL DOC_VERSION "/rules/transforms.html#to_sha1";
+ DOC_URL DOC_VERSION "/rules/transforms.html#to-sha1";
sigmatch_table[DETECT_TRANSFORM_SHA1].Setup =
DetectTransformToSha1Setup;
#ifdef HAVE_NSS
void DetectTtlRegister(void)
{
sigmatch_table[DETECT_TTL].name = "ttl";
- sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
+ sigmatch_table[DETECT_TTL].desc = "Check for a specific IP time-to-live value.";
sigmatch_table[DETECT_TTL].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#ttl";
sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
void DetectUricontentRegister (void)
{
sigmatch_table[DETECT_URICONTENT].name = "uricontent";
+ sigmatch_table[DETECT_URICONTENT].desc = "Legacy keyword to match on the request URI buffer.";
+ sigmatch_table[DETECT_URICONTENT].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#uricontent";
sigmatch_table[DETECT_URICONTENT].Match = NULL;
sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
projects / thirdparty / suricata.git / commitdiff
