From: jason taylor Date: Fri, 29 Dec 2023 11:45:03 +0000 (+0000) Subject: doc: add http keyword links X-Git-Tag: suricata-8.0.0-beta1~1556 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0cce5ba44789c888ece23b0ea686be58b953b23d;p=thirdparty%2Fsuricata.git doc: add http keyword links ticket: 3025 Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index b0d8c62230..d3ff6418e0 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -55,39 +55,35 @@ Example signature that would alert on the above response. classtype:bad-unknown; sid:30; rev:1;) Request Keywords: - * http.uri - * http.uri.raw - * http.method - * http.request_line - * http.request_body - * http.cookie - * http.user_agent - * http.host - * http.host.raw - * http.accept - * http.accept_lang - * http.accept_enc - * http.referer - * file.name + * :ref:`http.uri` + * :ref:`http.method` + * :ref:`http.request_line` + * :ref:`http.request_body` + * :ref:`http.user_agent` + * :ref:`http.host` + * :ref:`http.accept` + * :ref:`http.accept_lang` + * :ref:`http.accept_enc` + * :ref:`http.referer` + * :ref:`file.name` Response Keywords: - * http.stat_msg - * http.stat_code - * http.response_line - * http.response_body - * http.server - * http.location + * :ref:`http.stat_msg` + * :ref:`http.stat_code` + * :ref:`http.response_line` + * :ref:`http.response_body` + * :ref:`http.server` + * :ref:`http.location` Request or Response Keywords: - * file.data - * http.content_type - * http.content_len - * http.start - * http.protocol - * http.header_names - * http.header - * http.header.raw - * http.cookie + * :ref:`file.data` + * :ref:`http.content_type` + * :ref:`http.content_len` + * :ref:`http.start` + * :ref:`http.protocol` + * :ref:`http.header_names` + * :ref:`http.header` + * :ref:`http.cookie` Although cookies are sent in an HTTP header, you can not match on them with the ``http.header`` keyword. Cookies are matched with their own @@ -104,6 +100,8 @@ relative modifiers, so they may only be used within the same buffer. You can not relate content matches against different buffers with relative modifiers. +.. _http.method: + http.method ----------- @@ -123,6 +121,10 @@ Example of the purpose of method: .. _rules-http-uri-normalization: +.. _http.uri: + +.. _http.uri.raw: + http.uri and http.uri.raw ------------------------- @@ -176,6 +178,8 @@ When authoring new rules, it is recommended that the ``http.uri`` content sticky buffer be used rather than the deprecated ``uricontent`` keyword. +.. _urilen: + urilen ------ @@ -208,6 +212,8 @@ Example of ``urilen`` in a signature: You can also append ``norm`` or ``raw`` to define what sort of buffer you want to use (normalized or raw buffer). +.. _http.protocol: + http.protocol ------------- @@ -225,6 +231,8 @@ Example:: alert http any any -> any any (flow:to_server; http.protocol; content:"HTTP/1.0"; sid:1;) +.. _http.request_line: + http.request_line ----------------- @@ -234,6 +242,10 @@ Example:: alert http any any -> any any (http.request_line; content:"GET / HTTP/1.0"; sid:1;) +.. _http.header: + +.. _http.header.raw: + http.header and http.header.raw ------------------------------- @@ -260,7 +272,7 @@ Example of a header in a HTTP request: Example of the purpose of ``http.header``: - +.. _http.cookie: http.cookie ----------- @@ -294,6 +306,8 @@ Example ``http.cookie`` keyword in a signature: content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123; rev:1;) +.. _http.user_agent: + http.user_agent --------------- @@ -351,6 +365,8 @@ Notes - `https://blog.inliniac.net/2012/07/09/suricata-http\_user\_agent-vs-http\_header/ `_ +.. _http.accept: + http.accept ----------- @@ -361,6 +377,8 @@ Example:: alert http any any -> any any (http.accept; content:"image/gif"; sid:1;) +.. _http.accept_enc: + http.accept_enc --------------- @@ -371,6 +389,7 @@ Example:: alert http any any -> any any (http.accept_enc; content:"gzip"; sid:1;) +.. _http.accept_lang: http.accept_lang ---------------- @@ -382,6 +401,7 @@ Example:: alert http any any -> any any (http.accept_lang; content:"en-us"; sid:1;) +.. _http.connection: http.connection --------------- @@ -393,6 +413,7 @@ Example:: alert http any any -> any any (http.connection; content:"keep-alive"; sid:1;) +.. _http.content_type: http.content_type ----------------- @@ -410,6 +431,7 @@ Examples:: alert http any any -> any any (flow:to_client; \ http.content_type; content:"text/javascript"; sid:2;) +.. _http.content_len: http.content_len ---------------- @@ -434,6 +456,8 @@ Example, match if C-L is equal to or bigger than 8079:: alert http any any -> any any (flow:to_client; \ http.content_len; byte_test:0,>=,8079,0,string,dec; sid:3;) +.. _http.referer: + http.referer --------------- @@ -444,6 +468,8 @@ Example:: alert http any any -> any any (http.referer; content:".php"; sid:1;) +.. _http.start: + http.start ---------- @@ -458,6 +484,8 @@ Example:: The buffer contains the normalized headers and is terminated by an extra \\r\\n to indicate the end of the headers. +.. _http.header_names: + http.header_names ----------------- @@ -491,6 +519,8 @@ Example to make sure *User-Agent* is after *Host*, but not necessarily directly content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \ distance:-2; sid:1;) +.. _http.request_body: + http.request_body ----------------- @@ -513,6 +543,8 @@ setting. +to use the previous name, but it's recommended that rules be converted to use +the new name. +.. _http.stat_code: + http.stat_code -------------- @@ -526,6 +558,7 @@ Example of ``http.stat_code`` in a HTTP response: Example of the purpose of ``http.stat_code``: +.. _http.stat_msg: http.stat_msg ------------- @@ -540,6 +573,7 @@ Example of ``http.stat_msg`` in a HTTP response: Example of the purpose of ``http.stat_msg``: +.. _http.response_line: http.response_line ------------------ @@ -550,6 +584,8 @@ Example:: alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;) +.. _http.response_body: + http.response_body ------------------ @@ -586,6 +622,8 @@ Notes +to use the previous name, but it's recommended that rules be converted to use +the new name. +.. _http.server: + http.server ----------- @@ -597,6 +635,8 @@ Example:: alert http any any -> any any (flow:to_client; \ http.server; content:"Microsoft-IIS/6.0"; sid:1;) +.. _http.location: + http.location ------------- @@ -608,6 +648,10 @@ Example:: alert http any any -> any any (flow:to_client; \ http.location; content:"http://www.google.com"; sid:1;) +.. _http.host: + +.. _http.host.raw: + http.host and http.host.raw --------------------------- @@ -621,6 +665,8 @@ like ``distance``, ``offset``, ``within``, etc. The ``nocase`` keyword is not allowed anymore. Keep in mind that you need to specify a lowercase pattern. +.. _http.request_header: + http.request_header ------------------- @@ -639,6 +685,7 @@ Examples:: ``http.request_header`` can be used as ``fast_pattern``. +.. _http.response_header: http.response_header -------------------- @@ -710,6 +757,8 @@ Notes - Corresponding PCRE modifier (``http_host``): ``W`` - Corresponding PCRE modifier (``http_raw_host``): ``Z`` +.. _file.data: + file.data --------- @@ -781,6 +830,8 @@ Multiple Buffer Matching ``file.data`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. +.. _file.name: + file.name ---------