From: Victor Julien <victor@inliniac.net>
Date: Fri, 21 Jun 2019 09:10:13 +0000 (+0200)
Subject: doc: add tcp.hdr and udp.hdr
X-Git-Tag: suricata-5.0.0-rc1~236
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=034555644bfe977db85bfd1363ee24da63951b58;p=thirdparty%2Fsuricata.git

doc: add tcp.hdr and udp.hdr
---

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index c53f870c9e..6aab877a8f 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -346,6 +346,42 @@ Example rule:
 
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (flow:stateless; flags:S,12; :example-rule-emphasis:`tcp.mss:<536;` sid:1234; rev:5;)
 
+tcp.hdr
+^^^^^^^
+
+Sticky buffer to match on the whole TCP header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags:S,12; :example-rule-emphasis:`tcp.hdr; content:"|02 04|"; offset:20; byte_test:2,<,536,0,big,relative;` sid:1234; rev:5;)
+
+This example starts looking after the fixed portion of the header, so
+into the variable sized options. There it will look for the MSS option
+(type 2, option len 4) and using a byte_test determine if the value of
+the option is lower than 536. The `tcp.mss` option will be more efficient,
+so this keyword is meant to be used in cases where no specific keyword
+is available.
+
+UDP keywords
+------------
+
+udp.hdr
+^^^^^^^
+
+Sticky buffer to match on the whole UDP header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert udp any any -> any any (:example-rule-emphasis:`udp.hdr; content:"|00 08|"; offset:4; depth:2;` sid:1234; rev:5;)
+
+This example matches on the length field of the UDP header. In this
+case the length of 8 means that there is no payload. This can also
+be matched using `dsize:0;`.
+
 ICMP keywords
 -------------