From: Jeff Lucovsky Date: Sun, 9 Jul 2023 14:42:06 +0000 (-0400) Subject: detect/byte_math: Document bytes variable name X-Git-Tag: suricata-7.0.0~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47e268d6095676de84baf1b6123ae58742af4bec;p=thirdparty%2Fsuricata.git detect/byte_math: Document bytes variable name Issue: 6145 Document that byte_math accepts a variable name for bytes (optional) --- diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst index 50f34061b9..9ca145c5e2 100644 --- a/doc/userguide/rules/differences-from-snort.rst +++ b/doc/userguide/rules/differences-from-snort.rst @@ -295,6 +295,10 @@ See :doc:`http-keywords` for all HTTP keywords. to be specified for the ``nbytes`` value. The value of ``nbytes`` must adhere to the same constraints as though a value was directly supplied by the rule. +- Suricata allows a variable name from ``byte_extract`` to be specified for + the ``nbytes`` value. The value of ``nbytes`` must adhere to the same constraints + as if it were supplied directly in the rule. + ``isdataat`` Keyword -------------------- diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index e9da599ee9..412f7b4fe0 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -459,13 +459,14 @@ other rule options later in the rule. Format:: - byte_math:bytes , offset , oper , rvalue , \ + byte_math:bytes | , offset , oper , rvalue , \ result [, relative] [, endian ] [, string ] \ [, dce] [, bitmask ]; +-----------------------+-----------------------------------------------------------------------+ | | The number of bytes selected from the packet | +| | or the name of a byte_extract variable. | +-----------------------+-----------------------------------------------------------------------+ | | Number of bytes into the payload | +-----------------------+-----------------------------------------------------------------------+