From: Ralph Broenink Date: Sat, 14 Oct 2017 09:43:58 +0000 (+0200) Subject: doc: Use lowercased keyword names as section titles X-Git-Tag: suricata-4.1.0-beta1~510 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3413793768ee5a12019f12609b9460c26bb0d52f;p=thirdparty%2Fsuricata.git doc: Use lowercased keyword names as section titles --- diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst index f9f354539b..07cfbb33da 100644 --- a/doc/userguide/rules/flow-keywords.rst +++ b/doc/userguide/rules/flow-keywords.rst @@ -1,7 +1,7 @@ Flow Keywords ============= -Flowbits +flowbits ~~~~~~~~ Flowbits consists of two parts. The first part describes the action it @@ -49,7 +49,7 @@ will be generated. It is possible to use flowbits several times in a rule and combine the different functions. -Flow +flow ~~~~ The flow keyword can be used to match on direction of the flow, so to/from @@ -102,7 +102,7 @@ The determination of *established* depends on the protocol: .. image:: flow-keywords/Flow2.png -Flowint +flowint ~~~~~~~ For information, read the information on the :doc:`flowint` page. diff --git a/doc/userguide/rules/flowint.rst b/doc/userguide/rules/flowint.rst index aefe01a478..8fb331d2a6 100644 --- a/doc/userguide/rules/flowint.rst +++ b/doc/userguide/rules/flowint.rst @@ -1,4 +1,4 @@ -Flowint +flowint ======= Flowint is a precursor to the Global Variables task we will be adding diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst index 1e453863f5..a7fd838282 100644 --- a/doc/userguide/rules/header-keywords.rst +++ b/doc/userguide/rules/header-keywords.rst @@ -32,7 +32,7 @@ Example of the ttl keyword in a rule: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;) -Ipopts +ipopts ^^^^^^ With the ipopts keyword you can check if a specific ip option is @@ -114,7 +114,7 @@ The named variante of that example would be:: ip_proto:PIM -Id +id ^^ With the id keyword, you can match on a specific IP ID value. The ID @@ -136,7 +136,7 @@ Example of id in a rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;) -Geoip +geoip ^^^^^ The geoip keyword enables (you) to match on the source, destination or @@ -167,7 +167,7 @@ libgeoip must be compiled in. Fragments --------- -Fragbits +fragbits ^^^^^^^^ With the fragbits keyword, you can check if the fragmentation and @@ -202,7 +202,7 @@ Example of fragbits in a rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) -Fragoffset +fragoffset ^^^^^^^^^^ With the fragoffset keyword you can match on specific decimal values diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 1feee768c2..849a9542cd 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -37,7 +37,7 @@ In this example the red, bold-faced part is the msg. .. note:: The following characters must be escaped inside the msg: ``;`` ``\`` ``"`` -Sid (signature id) +sid (signature ID) ------------------ The keyword sid gives every signature its own id. This id is stated with a number. @@ -56,7 +56,7 @@ Example of sid in a signature: In this example the red, bold-faced part is the sid. -Rev (Revision) +rev (Revision) -------------- The sid keyword is almost every time accompanied by rev. Rev @@ -79,7 +79,7 @@ Example of rev in a signature: In this example the red, bold-faced part is the rev. -Gid (group id) +gid (group ID) -------------- The gid keyword can be used to give different groups of signatures @@ -98,7 +98,7 @@ Example of gid in a signature: This is an example from the fast.log. In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev). -Classtype +classtype --------- The classtype keyword gives information about the classification of @@ -133,7 +133,7 @@ Another example of classtype in a signature: In this example the red, bold-faced part is the classtype. -Reference +reference --------- The reference keywords direct to places where information about the @@ -178,7 +178,7 @@ Example of reference in a signature: In this example the red, bold-faced part is the action. -Priority +priority -------- The priority keyword comes with a mandatory numeric value which can @@ -192,7 +192,7 @@ format of priority is: priority:1; -Metadata +metadata -------- Suricata ignores the words behind meta data. Suricata supports this @@ -202,7 +202,7 @@ keyword because it is part of the signature language. The format is: metadata:......; -Target +target ------ The target keyword allows the rules writer to specify which side of the diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 47d44f9a3a..4696936339 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -11,7 +11,7 @@ Payload Keywords Payload keywords inspect the content of the payload of a packet or stream. -Content +content ------- The content keyword is very important in signatures. Between the @@ -99,7 +99,7 @@ generated if the the used version of Firefox is not 3.6.13. .. note:: The following characters must be escaped inside the content: ``;`` ``\`` ``"`` -Nocase +nocase ------ If you do not want to make a distinction between uppercase and @@ -120,7 +120,7 @@ Example nocase: It has no influence on other contents in the signature. -Depth +depth ----- The depth keyword is a absolute content modifier. It comes after the @@ -136,7 +136,7 @@ Example: .. image:: payload-keywords/content4.png -Offset +offset ------ The offset keyword designates from which byte in the payload will be @@ -157,7 +157,7 @@ third byte till the sixth byte. .. image:: payload-keywords/content6.png -Distance +distance -------- The keyword distance is a relative content modifier. This means it @@ -188,7 +188,7 @@ possible to attain the same results with other keywords. .. image:: payload-keywords/distance3.png -Within +within ------ The keyword within is relative to the preceding match. The keyword @@ -214,7 +214,7 @@ payload for a match, use within. .. image:: payload-keywords/within_distance2.png -Isdataat +isdataat -------- The purpose of the isdataat keyword is to look if there is still data @@ -238,7 +238,7 @@ You can also use the negation (!) before isdataat. .. image:: payload-keywords/isdataat1.png -Dsize +dsize ----- With the dsize keyword, you can match on the size of the packet @@ -280,7 +280,7 @@ Example of the rpc keyword in a rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) -Replace +replace ------- The replace content modifier can only be used in ips. It adjusts