From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 2 Aug 2022 15:12:02 +0000 (-0400)
Subject: doc/byte_math: Add byte_math differences with snort
X-Git-Tag: suricata-7.0.0-beta1~179
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33c424f9ed60a93e0847c7cddac555a52fa92a6f;p=thirdparty%2Fsuricata.git

doc/byte_math: Add byte_math differences with snort

Issue: 5077
---

diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst
index 0d2e65a64d..8226e3a7e8 100644
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -263,6 +263,20 @@ See :doc:`http-keywords` for all HTTP keywords.
    use ``byte_extract`` and ``byte_test`` to verify that they
    work as expected.
 
+``byte_math`` Keyword
+---------------------
+
+-  Suricata accepts ``dce`` as an endian value or as a separate keyword.
+   ``endian dce`` or ``dce`` are equivalent.
+
+-  Suricata's rule parser rejects rules that repeat keywords in a single
+   rule. E.g., ``byte_math: endian big, endian little``.
+
+-  Suricata's rule parser accepts ``rvalue`` values of ``0`` to the maximum
+   uint32 value. Snort rejects ``rvalue`` values of ``0`` and requires
+   values to be between ``[1..max-uint32 value]``.
+
+
 ``isdataat`` Keyword
 --------------------