From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 24 Jan 2024 15:00:41 +0000 (-0300)
Subject: userguide: fix explanation about bsize ranges
X-Git-Tag: suricata-7.0.4~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2efde5b87fc3f3d8d003a1c6235428f6cdb9b324;p=thirdparty%2Fsuricata.git

userguide: fix explanation about bsize ranges

Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.

Cf. from uint.rs:

    DetectUintMode::DetectUintModeRange => {
        if val > x.arg1 && val < x.arg2 {
            return true;
        }
    }

Task #6708

(cherry picked from commit 244a35d539989c00eb5cbac86e7355227cd9da03)
---

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index 9a609a217f..086e11c58f 100644
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -282,7 +282,7 @@ precision to the content match, previously this could have been done with ``isda
 
 An optional operator can be specified; if no operator is present, the operator will
 default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range),
-the bsize value will be compared using the relational operator. Ranges are inclusive.
+the bsize value will be compared using the relational operator. Ranges are exclusive.
 
 If one or more ``content`` keywords precedes ``bsize``, each occurrence of ``content``
 will be inspected and an error will be raised if the content length and the bsize
@@ -325,6 +325,9 @@ Examples of ``bsize`` in a rule:
 
    alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"middle"; bsize:6<>15; sid:126; rev:1;)
 
+To emphasize how range works: in the example above, a match will occur if
+``bsize`` is greater than 6 and less than 15.
+
 dsize
 -----