From: Eric Leblond Date: Wed, 7 Nov 2012 18:03:36 +0000 (+0100) Subject: Add documentation url in list-keyword output. X-Git-Tag: suricata-1.4rc1~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68425453317b8be4f9e5d26643741baf0dff3bff;p=thirdparty%2Fsuricata.git Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword. --- diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index f78597a19c..09918960cc 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -529,6 +529,22 @@ uint16_t AppLayerGetProtoByName(const char *name) return ALPROTO_UNKNOWN; } +const char *AppLayerGetProtoString(int proto) +{ + + if ((proto > ALPROTO_MAX) || (proto < 0)) { + return "Undefined"; + } + + if (al_proto_table[proto].name == NULL) { + return "Unset"; + } else { + return al_proto_table[proto].name; + } + + return "Undefined"; +} + /** \brief Description: register a parser. * * \param name full parser name, e.g. "http.request_line" diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index 6bda0ce0af..0ad01e2d05 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -262,6 +262,7 @@ void AppLayerRegisterGetFilesFunc(uint16_t proto, FileContainer *(*StateGetFile)(void *, uint8_t)); void AppLayerRegisterLogger(uint16_t proto); uint16_t AppLayerGetProtoByName(const char *); +const char *AppLayerGetProtoString(int proto); void AppLayerRegisterTruncateFunc(uint16_t proto, void (*Truncate)(void *, uint8_t)); int AppLayerParse(void *, Flow *, uint8_t, diff --git a/src/detect-ack.c b/src/detect-ack.c index e82aef2fc9..ba0d4c16b7 100644 --- a/src/detect-ack.c +++ b/src/detect-ack.c @@ -48,6 +48,8 @@ static void DetectAckFree(void *); void DetectAckRegister(void) { sigmatch_table[DETECT_ACK].name = "ack"; + sigmatch_table[DETECT_ACK].desc = "check for a specific TCP acknowledgement number"; + sigmatch_table[DETECT_ACK].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ack"; sigmatch_table[DETECT_ACK].Match = DetectAckMatch; sigmatch_table[DETECT_ACK].Setup = DetectAckSetup; sigmatch_table[DETECT_ACK].Free = DetectAckFree; diff --git a/src/detect-classtype.c b/src/detect-classtype.c index 3b33c2393a..07aa01da6a 100644 --- a/src/detect-classtype.c +++ b/src/detect-classtype.c @@ -57,6 +57,8 @@ void DetectClasstypeRegister(void) SCLogDebug("Registering the Classtype keyword handler"); sigmatch_table[DETECT_CLASSTYPE].name = "classtype"; + sigmatch_table[DETECT_CLASSTYPE].desc = "information about the classification of rules and alerts"; + sigmatch_table[DETECT_CLASSTYPE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Classtype"; sigmatch_table[DETECT_CLASSTYPE].Match = NULL; sigmatch_table[DETECT_CLASSTYPE].Setup = DetectClasstypeSetup; sigmatch_table[DETECT_CLASSTYPE].Free = NULL; diff --git a/src/detect-content.c b/src/detect-content.c index 606dbcec7a..2263c30fb2 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -51,6 +51,8 @@ void DetectContentRegisterTests(void); void DetectContentRegister (void) { sigmatch_table[DETECT_CONTENT].name = "content"; + sigmatch_table[DETECT_CONTENT].desc = "match on payload content"; + sigmatch_table[DETECT_CONTENT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Content"; sigmatch_table[DETECT_CONTENT].Match = NULL; sigmatch_table[DETECT_CONTENT].Setup = DetectContentSetup; sigmatch_table[DETECT_CONTENT].Free = DetectContentFree; diff --git a/src/detect-depth.c b/src/detect-depth.c index f6ecc46bc2..8eeace5c5c 100644 --- a/src/detect-depth.c +++ b/src/detect-depth.c @@ -44,6 +44,8 @@ static int DetectDepthSetup (DetectEngineCtx *, Signature *, char *); void DetectDepthRegister (void) { sigmatch_table[DETECT_DEPTH].name = "depth"; + sigmatch_table[DETECT_DEPTH].desc = "designate how many bytes from the beginning of the payload will be checked"; + sigmatch_table[DETECT_DEPTH].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Depth"; sigmatch_table[DETECT_DEPTH].Match = NULL; sigmatch_table[DETECT_DEPTH].Setup = DetectDepthSetup; sigmatch_table[DETECT_DEPTH].Free = NULL; diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index 9573b44b3b..02a8e89d1e 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -61,6 +61,8 @@ void DetectDetectionFilterFree(void *); */ void DetectDetectionFilterRegister (void) { sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter"; + sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached"; + sigmatch_table[DETECT_DETECTION_FILTER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding#detection_filter"; sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch; sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup; sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree; diff --git a/src/detect-distance.c b/src/detect-distance.c index 8c442ceaa4..99011b1ec7 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -51,6 +51,8 @@ void DetectDistanceRegisterTests(void); void DetectDistanceRegister (void) { sigmatch_table[DETECT_DISTANCE].name = "distance"; + sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it"; + sigmatch_table[DETECT_DISTANCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Distance"; sigmatch_table[DETECT_DISTANCE].Match = NULL; sigmatch_table[DETECT_DISTANCE].Setup = DetectDistanceSetup; sigmatch_table[DETECT_DISTANCE].Free = NULL; diff --git a/src/detect-dsize.c b/src/detect-dsize.c index 667fe06184..628171ae06 100644 --- a/src/detect-dsize.c +++ b/src/detect-dsize.c @@ -54,6 +54,8 @@ static void DetectDsizeFree(void *); */ void DetectDsizeRegister (void) { sigmatch_table[DETECT_DSIZE].name = "dsize"; + sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload"; + sigmatch_table[DETECT_DSIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Dsize"; sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch; sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup; sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree; diff --git a/src/detect-fast-pattern.c b/src/detect-fast-pattern.c index 1a9781aae5..da8270dce8 100644 --- a/src/detect-fast-pattern.c +++ b/src/detect-fast-pattern.c @@ -107,6 +107,8 @@ void SupportFastPatternForSigMatchTypes(void) void DetectFastPatternRegister(void) { sigmatch_table[DETECT_FAST_PATTERN].name = "fast_pattern"; + sigmatch_table[DETECT_FAST_PATTERN].desc = "force using preceding content in the multi pattern matcher"; + sigmatch_table[DETECT_FAST_PATTERN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#fast_pattern"; sigmatch_table[DETECT_FAST_PATTERN].Match = NULL; sigmatch_table[DETECT_FAST_PATTERN].Setup = DetectFastPatternSetup; sigmatch_table[DETECT_FAST_PATTERN].Free = NULL; diff --git a/src/detect-file-data.c b/src/detect-file-data.c index d302c8bfcf..608c8b58ca 100644 --- a/src/detect-file-data.c +++ b/src/detect-file-data.c @@ -50,6 +50,8 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, char *); */ void DetectFiledataRegister(void) { sigmatch_table[DETECT_FILE_DATA].name = "file_data"; + sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body"; + sigmatch_table[DETECT_FILE_DATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#file_data"; sigmatch_table[DETECT_FILE_DATA].Match = NULL; sigmatch_table[DETECT_FILE_DATA].AppLayerMatch = NULL; sigmatch_table[DETECT_FILE_DATA].alproto = ALPROTO_HTTP; diff --git a/src/detect-fileext.c b/src/detect-fileext.c index 80a5cef53a..b6f00c19a3 100644 --- a/src/detect-fileext.c +++ b/src/detect-fileext.c @@ -62,6 +62,8 @@ static void DetectFileextFree(void *); */ void DetectFileextRegister(void) { sigmatch_table[DETECT_FILEEXT].name = "fileext"; + sigmatch_table[DETECT_FILEEXT].desc = "match on the extension of a file name"; + sigmatch_table[DETECT_FILEEXT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#fileext"; sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch; sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup; diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index 4eef0243c5..a3f8b07203 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -66,6 +66,8 @@ static void DetectFilemagicFree(void *); */ void DetectFilemagicRegister(void) { sigmatch_table[DETECT_FILEMAGIC].name = "filemagic"; + sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file"; + sigmatch_table[DETECT_FILEMAGIC].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filemagic"; sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch; sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup; diff --git a/src/detect-filemd5.c b/src/detect-filemd5.c index 6bb9d03257..1030c360a8 100644 --- a/src/detect-filemd5.c +++ b/src/detect-filemd5.c @@ -66,6 +66,8 @@ static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, char * */ void DetectFileMd5Register(void) { sigmatch_table[DETECT_FILEMD5].name = "filemd5"; + sigmatch_table[DETECT_FILEMD5].desc = "match file MD5 against list of MD5 checksums"; + sigmatch_table[DETECT_FILEMD5].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filemd5"; sigmatch_table[DETECT_FILEMD5].FileMatch = NULL; sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport; diff --git a/src/detect-filename.c b/src/detect-filename.c index 31fc0b6c6c..b978bc039e 100644 --- a/src/detect-filename.c +++ b/src/detect-filename.c @@ -61,6 +61,8 @@ static void DetectFilenameFree(void *); */ void DetectFilenameRegister(void) { sigmatch_table[DETECT_FILENAME].name = "filename"; + sigmatch_table[DETECT_FILENAME].desc = "match on the file name"; + sigmatch_table[DETECT_FILENAME].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filename"; sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch; sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup; diff --git a/src/detect-filesize.c b/src/detect-filesize.c index a56c8a0688..a807405c6b 100644 --- a/src/detect-filesize.c +++ b/src/detect-filesize.c @@ -61,6 +61,8 @@ static void DetectFilesizeRegisterTests (void); void DetectFilesizeRegister(void) { sigmatch_table[DETECT_FILESIZE].name = "filesize"; + sigmatch_table[DETECT_FILESIZE].desc = "match on the size of the file as it is being transferred"; + sigmatch_table[DETECT_FILESIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filesize"; sigmatch_table[DETECT_FILESIZE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILESIZE].FileMatch = DetectFilesizeMatch; sigmatch_table[DETECT_FILESIZE].Setup = DetectFilesizeSetup; diff --git a/src/detect-filestore.c b/src/detect-filestore.c index 20157bb3d8..e116ce48f0 100644 --- a/src/detect-filestore.c +++ b/src/detect-filestore.c @@ -68,6 +68,8 @@ static void DetectFilestoreFree(void *); */ void DetectFilestoreRegister(void) { sigmatch_table[DETECT_FILESTORE].name = "filestore"; + sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched"; + sigmatch_table[DETECT_FILESTORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filestore"; sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch; sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; diff --git a/src/detect-flow.c b/src/detect-flow.c index fa6ca2d197..d7565731be 100644 --- a/src/detect-flow.c +++ b/src/detect-flow.c @@ -58,6 +58,8 @@ void DetectFlowFree(void *); */ void DetectFlowRegister (void) { sigmatch_table[DETECT_FLOW].name = "flow"; + sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow"; + sigmatch_table[DETECT_FLOW].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#Flow"; sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch; sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup; sigmatch_table[DETECT_FLOW].Free = DetectFlowFree; diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index 9d97bab2f0..232b00832e 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -57,6 +57,8 @@ void FlowBitsRegisterTests(void); void DetectFlowbitsRegister (void) { sigmatch_table[DETECT_FLOWBITS].name = "flowbits"; + sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag"; + sigmatch_table[DETECT_FLOWBITS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#Flowbits"; sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch; sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup; sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree; diff --git a/src/detect-flowint.c b/src/detect-flowint.c index 61b6f984bf..d2ce9cd6d1 100644 --- a/src/detect-flowint.c +++ b/src/detect-flowint.c @@ -56,6 +56,8 @@ void DetectFlowintRegisterTests(void); void DetectFlowintRegister(void) { sigmatch_table[DETECT_FLOWINT].name = "flowint"; + sigmatch_table[DETECT_FLOWINT].desc = "operate on a per-flow integer"; + sigmatch_table[DETECT_FLOWINT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flowint"; sigmatch_table[DETECT_FLOWINT].Match = DetectFlowintMatch; sigmatch_table[DETECT_FLOWINT].Setup = DetectFlowintSetup; sigmatch_table[DETECT_FLOWINT].Free = DetectFlowintFree; diff --git a/src/detect-fragbits.c b/src/detect-fragbits.c index e61f0b45ef..6908295a9a 100644 --- a/src/detect-fragbits.c +++ b/src/detect-fragbits.c @@ -70,6 +70,8 @@ static void DetectFragBitsFree(void *); void DetectFragBitsRegister (void) { sigmatch_table[DETECT_FRAGBITS].name = "fragbits"; + sigmatch_table[DETECT_FRAGBITS].desc = "check if the fragmentation and reserved bits are set in the IP header"; + sigmatch_table[DETECT_FRAGBITS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Fragbits"; sigmatch_table[DETECT_FRAGBITS].Match = DetectFragBitsMatch; sigmatch_table[DETECT_FRAGBITS].Setup = DetectFragBitsSetup; sigmatch_table[DETECT_FRAGBITS].Free = DetectFragBitsFree; diff --git a/src/detect-fragoffset.c b/src/detect-fragoffset.c index 3d6f528959..4fae50a34f 100644 --- a/src/detect-fragoffset.c +++ b/src/detect-fragoffset.c @@ -53,6 +53,8 @@ void DetectFragOffsetFree(void *); */ void DetectFragOffsetRegister (void) { sigmatch_table[DETECT_FRAGOFFSET].name = "fragoffset"; + sigmatch_table[DETECT_FRAGOFFSET].desc = "match on specific decimal values of the IP fragment offset field"; + sigmatch_table[DETECT_FRAGOFFSET].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Fragoffset"; sigmatch_table[DETECT_FRAGOFFSET].Match = DetectFragOffsetMatch; sigmatch_table[DETECT_FRAGOFFSET].Setup = DetectFragOffsetSetup; sigmatch_table[DETECT_FRAGOFFSET].Free = DetectFragOffsetFree; diff --git a/src/detect-gid.c b/src/detect-gid.c index 1c4d47b05b..3bd65fc59d 100644 --- a/src/detect-gid.c +++ b/src/detect-gid.c @@ -47,6 +47,8 @@ static int DetectGidSetup (DetectEngineCtx *, Signature *, char *); void DetectGidRegister (void) { sigmatch_table[DETECT_GID].name = "gid"; + sigmatch_table[DETECT_GID].desc = "give different groups of signatures another id value"; + sigmatch_table[DETECT_GID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Gid-group-id"; sigmatch_table[DETECT_GID].Match = NULL; sigmatch_table[DETECT_GID].Setup = DetectGidSetup; sigmatch_table[DETECT_GID].Free = NULL; diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index b5336ff11a..e11468f6f7 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -67,6 +67,8 @@ void DetectHttpClientBodyFree(void *); void DetectHttpClientBodyRegister(void) { sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body"; + sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body"; + sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_client_body"; sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Match = NULL; sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup; diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 5fb7b399d7..96457e169d 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -68,6 +68,8 @@ void DetectHttpCookieFree(void *); */ void DetectHttpCookieRegister (void) { sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie"; + sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer"; + sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_cookie"; sigmatch_table[DETECT_AL_HTTP_COOKIE].Match = NULL; sigmatch_table[DETECT_AL_HTTP_COOKIE].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_COOKIE].alproto = ALPROTO_HTTP; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 1990ccd2f8..93a5a560a5 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -68,6 +68,8 @@ void DetectHttpHeaderFree(void *); void DetectHttpHeaderRegister(void) { sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header"; + sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer"; + sigmatch_table[DETECT_AL_HTTP_HEADER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_header"; sigmatch_table[DETECT_AL_HTTP_HEADER].Match = NULL; sigmatch_table[DETECT_AL_HTTP_HEADER].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup; diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 8666fbf34b..14afc4d714 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -68,6 +68,8 @@ void DetectHttpMethodFree(void *); */ void DetectHttpMethodRegister(void) { sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method"; + sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer"; + sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method"; sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL; sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_METHOD].alproto = ALPROTO_HTTP; diff --git a/src/detect-http-raw-uri.c b/src/detect-http-raw-uri.c index 4b541d1075..0e3adf3d78 100644 --- a/src/detect-http-raw-uri.c +++ b/src/detect-http-raw-uri.c @@ -63,6 +63,8 @@ static void DetectHttpRawUriRegisterTests(void); void DetectHttpRawUriRegister(void) { sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri"; + sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on HTTP uri"; + sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_uri-and-http_raw_uri"; sigmatch_table[DETECT_AL_HTTP_RAW_URI].Match = NULL; sigmatch_table[DETECT_AL_HTTP_RAW_URI].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_RAW_URI].alproto = ALPROTO_HTTP; diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index b0d3db4847..bd0deba98f 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -68,6 +68,8 @@ void DetectHttpServerBodyFree(void *); void DetectHttpServerBodyRegister(void) { sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body"; + sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match only on the HTTP response-body"; + sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_server_body"; sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Match = NULL; sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup; diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index c973a6f5b9..50c3eea54d 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -73,6 +73,8 @@ void DetectHttpStatCodeFree(void *); */ void DetectHttpStatCodeRegister (void) { sigmatch_table[DETECT_AL_HTTP_STAT_CODE].name = "http_stat_code"; + sigmatch_table[DETECT_AL_HTTP_STAT_CODE].desc = "content modifier to match only on HTTP stat-code-buffer"; + sigmatch_table[DETECT_AL_HTTP_STAT_CODE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_stat_code"; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Match = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alproto = ALPROTO_HTTP; diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index 405e9a86e9..55678a1115 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -73,6 +73,8 @@ void DetectHttpStatMsgFree(void *); */ void DetectHttpStatMsgRegister (void) { sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg"; + sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer"; + sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_stat_msg"; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alproto = ALPROTO_HTTP; diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index fdaa0e6335..62a4501a30 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -67,6 +67,8 @@ void DetectHttpUAFree(void *); void DetectHttpUARegister(void) { sigmatch_table[DETECT_AL_HTTP_USER_AGENT].name = "http_user_agent"; + sigmatch_table[DETECT_AL_HTTP_USER_AGENT].desc = "content modifier to match only on the HTTP User-Agent header"; + sigmatch_table[DETECT_AL_HTTP_USER_AGENT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_user_agent"; sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Match = NULL; sigmatch_table[DETECT_AL_HTTP_USER_AGENT].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Setup = DetectHttpUASetup; diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 6297939777..4c1ac285bf 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -63,6 +63,8 @@ void DetectHttpUriRegisterTests(void); */ void DetectHttpUriRegister (void) { sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; + sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; + sigmatch_table[DETECT_AL_HTTP_URI].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_uri-and-http_raw_uri"; sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL; sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_URI].alproto = ALPROTO_HTTP; diff --git a/src/detect-icmp-seq.c b/src/detect-icmp-seq.c index 34afe3bb64..385318fa16 100644 --- a/src/detect-icmp-seq.c +++ b/src/detect-icmp-seq.c @@ -52,6 +52,8 @@ void DetectIcmpSeqFree(void *); */ void DetectIcmpSeqRegister (void) { sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq"; + sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number"; + sigmatch_table[DETECT_ICMP_SEQ].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#icmp_seq"; sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch; sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup; sigmatch_table[DETECT_ICMP_SEQ].Free = DetectIcmpSeqFree; diff --git a/src/detect-icode.c b/src/detect-icode.c index 9a3112c865..0ff677378d 100644 --- a/src/detect-icode.c +++ b/src/detect-icode.c @@ -56,6 +56,8 @@ void DetectICodeFree(void *); */ void DetectICodeRegister (void) { sigmatch_table[DETECT_ICODE].name = "icode"; + sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value"; + sigmatch_table[DETECT_ICODE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#icode"; sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch; sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup; sigmatch_table[DETECT_ICODE].Free = DetectICodeFree; diff --git a/src/detect-id.c b/src/detect-id.c index 38005083ea..ad48785367 100644 --- a/src/detect-id.c +++ b/src/detect-id.c @@ -59,6 +59,8 @@ void DetectIdFree(void *); */ void DetectIdRegister (void) { sigmatch_table[DETECT_ID].name = "id"; + sigmatch_table[DETECT_ID].desc = "match on a specific IP ID value"; + sigmatch_table[DETECT_ID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Id"; sigmatch_table[DETECT_ID].Match = DetectIdMatch; sigmatch_table[DETECT_ID].Setup = DetectIdSetup; sigmatch_table[DETECT_ID].Free = DetectIdFree; diff --git a/src/detect-ipopts.c b/src/detect-ipopts.c index a59aa377cb..4e0f351bea 100644 --- a/src/detect-ipopts.c +++ b/src/detect-ipopts.c @@ -56,6 +56,8 @@ void DetectIpOptsFree(void *); */ void DetectIpOptsRegister (void) { sigmatch_table[DETECT_IPOPTS].name = "ipopts"; + sigmatch_table[DETECT_IPOPTS].desc = "check if a specific IP option is set"; + sigmatch_table[DETECT_IPOPTS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Ipopts"; sigmatch_table[DETECT_IPOPTS].Match = DetectIpOptsMatch; sigmatch_table[DETECT_IPOPTS].Setup = DetectIpOptsSetup; sigmatch_table[DETECT_IPOPTS].Free = DetectIpOptsFree; diff --git a/src/detect-ipproto.c b/src/detect-ipproto.c index 237b2a6aa6..80009d030a 100644 --- a/src/detect-ipproto.c +++ b/src/detect-ipproto.c @@ -65,6 +65,8 @@ void DetectIPProtoRegister(void) int opts = 0; sigmatch_table[DETECT_IPPROTO].name = "ip_proto"; + sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header"; + sigmatch_table[DETECT_IPPROTO].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ip_proto"; sigmatch_table[DETECT_IPPROTO].Match = NULL; sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup; sigmatch_table[DETECT_IPPROTO].Free = NULL; diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index ef26557888..d7bd4f1d7c 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -65,6 +65,8 @@ void DetectIsdataatFree(void *); */ void DetectIsdataatRegister (void) { sigmatch_table[DETECT_ISDATAAT].name = "isdataat"; + sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload"; + sigmatch_table[DETECT_ISDATAAT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Isadataat"; sigmatch_table[DETECT_ISDATAAT].Match = DetectIsdataatMatch; sigmatch_table[DETECT_ISDATAAT].Setup = DetectIsdataatSetup; sigmatch_table[DETECT_ISDATAAT].Free = DetectIsdataatFree; diff --git a/src/detect-itype.c b/src/detect-itype.c index f59cd1a3eb..ea7ee032c9 100644 --- a/src/detect-itype.c +++ b/src/detect-itype.c @@ -56,6 +56,8 @@ void DetectITypeFree(void *); */ void DetectITypeRegister (void) { sigmatch_table[DETECT_ITYPE].name = "itype"; + sigmatch_table[DETECT_ITYPE].desc = "matching on a specific ICMP type"; + sigmatch_table[DETECT_ITYPE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#itype"; sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch; sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup; sigmatch_table[DETECT_ITYPE].Free = DetectITypeFree; diff --git a/src/detect-luajit.c b/src/detect-luajit.c index bb70a5efb6..020fec5980 100644 --- a/src/detect-luajit.c +++ b/src/detect-luajit.c @@ -92,6 +92,8 @@ static void DetectLuajitFree(void *); */ void DetectLuajitRegister(void) { sigmatch_table[DETECT_LUAJIT].name = "luajit"; + sigmatch_table[DETECT_LUAJIT].desc = "match via a luajit script"; + sigmatch_table[DETECT_LUAJIT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting"; sigmatch_table[DETECT_LUAJIT].Match = DetectLuajitMatch; sigmatch_table[DETECT_LUAJIT].Setup = DetectLuajitSetup; sigmatch_table[DETECT_LUAJIT].Free = DetectLuajitFree; diff --git a/src/detect-metadata.c b/src/detect-metadata.c index f0001f17c5..fd2088e94e 100644 --- a/src/detect-metadata.c +++ b/src/detect-metadata.c @@ -33,6 +33,8 @@ static int DetectMetadataSetup (DetectEngineCtx *, Signature *, char *); void DetectMetadataRegister (void) { sigmatch_table[DETECT_METADATA].name = "metadata"; + sigmatch_table[DETECT_METADATA].desc = "ignored by suricata"; + sigmatch_table[DETECT_METADATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Metadata"; sigmatch_table[DETECT_METADATA].Match = NULL; sigmatch_table[DETECT_METADATA].Setup = DetectMetadataSetup; sigmatch_table[DETECT_METADATA].Free = NULL; diff --git a/src/detect-msg.c b/src/detect-msg.c index 4bcd65d83d..48f53e2fd9 100644 --- a/src/detect-msg.c +++ b/src/detect-msg.c @@ -38,6 +38,8 @@ void DetectMsgRegisterTests(void); void DetectMsgRegister (void) { sigmatch_table[DETECT_MSG].name = "msg"; + sigmatch_table[DETECT_MSG].desc = "information about the rule and the possible alert"; + sigmatch_table[DETECT_MSG].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#msg-message"; sigmatch_table[DETECT_MSG].Match = NULL; sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup; sigmatch_table[DETECT_MSG].Free = NULL; diff --git a/src/detect-nocase.c b/src/detect-nocase.c index 38b1700614..f56b63a5b9 100644 --- a/src/detect-nocase.c +++ b/src/detect-nocase.c @@ -46,6 +46,8 @@ static int DetectNocaseSetup (DetectEngineCtx *, Signature *, char *); void DetectNocaseRegister (void) { sigmatch_table[DETECT_NOCASE].name = "nocase"; + sigmatch_table[DETECT_NOCASE].desc = "modify content match to be case insensitive"; + sigmatch_table[DETECT_NOCASE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Nocase"; sigmatch_table[DETECT_NOCASE].Match = NULL; sigmatch_table[DETECT_NOCASE].Setup = DetectNocaseSetup; sigmatch_table[DETECT_NOCASE].Free = NULL; diff --git a/src/detect-offset.c b/src/detect-offset.c index 21beeb94da..d17fa75a44 100644 --- a/src/detect-offset.c +++ b/src/detect-offset.c @@ -43,6 +43,8 @@ static int DetectOffsetSetup (DetectEngineCtx *, Signature *, char *); void DetectOffsetRegister (void) { sigmatch_table[DETECT_OFFSET].name = "offset"; + sigmatch_table[DETECT_OFFSET].desc = "designate from which byte in the payload will be checked to find a match"; + sigmatch_table[DETECT_OFFSET].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Offset"; sigmatch_table[DETECT_OFFSET].Match = NULL; sigmatch_table[DETECT_OFFSET].Setup = DetectOffsetSetup; sigmatch_table[DETECT_OFFSET].Free = NULL; diff --git a/src/detect-pcre.c b/src/detect-pcre.c index adbad05631..8cd37f88f8 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -83,6 +83,8 @@ void DetectPcreRegisterTests(void); void DetectPcreRegister (void) { sigmatch_table[DETECT_PCRE].name = "pcre"; + sigmatch_table[DETECT_PCRE].desc = "match on regular expression"; + sigmatch_table[DETECT_PCRE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#Pcre-Perl-Compatible-Regular-Expressions"; sigmatch_table[DETECT_PCRE].Match = NULL; sigmatch_table[DETECT_PCRE].AppLayerMatch = NULL; sigmatch_table[DETECT_PCRE].alproto = ALPROTO_HTTP; diff --git a/src/detect-priority.c b/src/detect-priority.c index 9e23e44d05..6db84b28b9 100644 --- a/src/detect-priority.c +++ b/src/detect-priority.c @@ -51,6 +51,8 @@ void DetectPriorityRegister (void) int opts = 0; sigmatch_table[DETECT_PRIORITY].name = "priority"; + sigmatch_table[DETECT_PRIORITY].desc = "rules with a higher priority will be examined first"; + sigmatch_table[DETECT_PRIORITY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Priority"; sigmatch_table[DETECT_PRIORITY].Match = NULL; sigmatch_table[DETECT_PRIORITY].Setup = DetectPrioritySetup; sigmatch_table[DETECT_PRIORITY].Free = NULL; diff --git a/src/detect-reference.c b/src/detect-reference.c index 08303ebc36..174b03c7f9 100644 --- a/src/detect-reference.c +++ b/src/detect-reference.c @@ -56,6 +56,8 @@ static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, char *str); void DetectReferenceRegister(void) { sigmatch_table[DETECT_REFERENCE].name = "reference"; + sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found"; + sigmatch_table[DETECT_REFERENCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Reference"; sigmatch_table[DETECT_REFERENCE].Match = NULL; sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup; sigmatch_table[DETECT_REFERENCE].Free = NULL; diff --git a/src/detect-rev.c b/src/detect-rev.c index 74cc5a77ad..94e90e204a 100644 --- a/src/detect-rev.c +++ b/src/detect-rev.c @@ -32,6 +32,8 @@ static int DetectRevSetup (DetectEngineCtx *, Signature *, char *); void DetectRevRegister (void) { sigmatch_table[DETECT_REV].name = "rev"; + sigmatch_table[DETECT_REV].desc = "set version of the rule"; + sigmatch_table[DETECT_REV].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Rev-Revision"; sigmatch_table[DETECT_REV].Match = NULL; sigmatch_table[DETECT_REV].Setup = DetectRevSetup; sigmatch_table[DETECT_REV].Free = NULL; diff --git a/src/detect-rpc.c b/src/detect-rpc.c index 8e7d64be50..37d3a4c281 100644 --- a/src/detect-rpc.c +++ b/src/detect-rpc.c @@ -58,6 +58,8 @@ void DetectRpcFree(void *); */ void DetectRpcRegister (void) { sigmatch_table[DETECT_RPC].name = "rpc"; + sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version"; + sigmatch_table[DETECT_RPC].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#rpc"; sigmatch_table[DETECT_RPC].Match = DetectRpcMatch; sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup; sigmatch_table[DETECT_RPC].Free = DetectRpcFree; diff --git a/src/detect-sameip.c b/src/detect-sameip.c index b67f9c5f8c..7cd71d3650 100644 --- a/src/detect-sameip.c +++ b/src/detect-sameip.c @@ -49,6 +49,8 @@ static void DetectSameipRegisterTests(void); void DetectSameipRegister(void) { sigmatch_table[DETECT_SAMEIP].name = "sameip"; + sigmatch_table[DETECT_SAMEIP].desc = "check if the IP address of the source is the same as the IP address of the destination"; + sigmatch_table[DETECT_SAMEIP].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#sameip"; sigmatch_table[DETECT_SAMEIP].Match = DetectSameipMatch; sigmatch_table[DETECT_SAMEIP].Setup = DetectSameipSetup; sigmatch_table[DETECT_SAMEIP].Free = NULL; diff --git a/src/detect-seq.c b/src/detect-seq.c index d757a450dd..f41f854512 100644 --- a/src/detect-seq.c +++ b/src/detect-seq.c @@ -48,6 +48,8 @@ static void DetectSeqFree(void *); void DetectSeqRegister(void) { sigmatch_table[DETECT_SEQ].name = "seq"; + sigmatch_table[DETECT_SEQ].desc = "check for a specific TCP sequence number"; + sigmatch_table[DETECT_SEQ].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#seq"; sigmatch_table[DETECT_SEQ].Match = DetectSeqMatch; sigmatch_table[DETECT_SEQ].Setup = DetectSeqSetup; sigmatch_table[DETECT_SEQ].Free = DetectSeqFree; diff --git a/src/detect-sid.c b/src/detect-sid.c index d67c1282fd..7d2f15eb04 100644 --- a/src/detect-sid.c +++ b/src/detect-sid.c @@ -32,6 +32,8 @@ static int DetectSidSetup (DetectEngineCtx *, Signature *, char *); void DetectSidRegister (void) { sigmatch_table[DETECT_SID].name = "sid"; + sigmatch_table[DETECT_SID].desc = "set rule id"; + sigmatch_table[DETECT_SID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Sid-signature-id"; sigmatch_table[DETECT_SID].Match = NULL; sigmatch_table[DETECT_SID].Setup = DetectSidSetup; sigmatch_table[DETECT_SID].Free = NULL; diff --git a/src/detect-stream_size.c b/src/detect-stream_size.c index 2866d621f2..584e25c0d7 100644 --- a/src/detect-stream_size.c +++ b/src/detect-stream_size.c @@ -55,6 +55,8 @@ void DetectStreamSizeRegisterTests(void); void DetectStreamSizeRegister(void) { sigmatch_table[DETECT_STREAM_SIZE].name = "stream_size"; + sigmatch_table[DETECT_STREAM_SIZE].desc = "match on amount of bytes of a stream"; + sigmatch_table[DETECT_STREAM_SIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#stream_size"; sigmatch_table[DETECT_STREAM_SIZE].Match = DetectStreamSizeMatch; sigmatch_table[DETECT_STREAM_SIZE].Setup = DetectStreamSizeSetup; sigmatch_table[DETECT_STREAM_SIZE].Free = DetectStreamSizeFree; diff --git a/src/detect-threshold.c b/src/detect-threshold.c index a1db7b84b4..0ac3768803 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -72,6 +72,8 @@ static void DetectThresholdFree(void *); void DetectThresholdRegister (void) { sigmatch_table[DETECT_THRESHOLD].name = "threshold"; + sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency"; + sigmatch_table[DETECT_THRESHOLD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding#threshold"; sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch; sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup; sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree; diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index ffad7c945d..2b0c013ef8 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -68,6 +68,8 @@ void DetectTlsVersionFree(void *); */ void DetectTlsVersionRegister (void) { sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version"; + sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version"; + sigmatch_table[DETECT_AL_TLS_VERSION].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsversion"; sigmatch_table[DETECT_AL_TLS_VERSION].Match = NULL; sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerMatch = DetectTlsVersionMatch; sigmatch_table[DETECT_AL_TLS_VERSION].alproto = ALPROTO_TLS; diff --git a/src/detect-tls.c b/src/detect-tls.c index 6f3b7b9616..e8e813d65a 100644 --- a/src/detect-tls.c +++ b/src/detect-tls.c @@ -93,7 +93,8 @@ static int DetectTlsStoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, u */ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject"; - sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "Match TLS/SSL certificate Subject field"; + sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; + sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlssubject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL; sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch; sigmatch_table[DETECT_AL_TLS_SUBJECT].alproto = ALPROTO_TLS; @@ -102,7 +103,8 @@ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn"; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "Match TLS/SSL certificate IssuerDN field"; + sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; + sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsissuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL; sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch; sigmatch_table[DETECT_AL_TLS_ISSUERDN].alproto = ALPROTO_TLS; @@ -111,7 +113,8 @@ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint"; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "Match TLS/SSL certificate SHA1 fingerprint"; + sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; + sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsfingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alproto = ALPROTO_TLS; @@ -120,7 +123,8 @@ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_STORE].name = "tls.store"; - sigmatch_table[DETECT_AL_TLS_STORE].desc = "Store certificate on disk"; + sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk"; + sigmatch_table[DETECT_AL_TLS_STORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsstore"; sigmatch_table[DETECT_AL_TLS_STORE].Match = NULL; sigmatch_table[DETECT_AL_TLS_STORE].AppLayerMatch = DetectTlsStoreMatch; sigmatch_table[DETECT_AL_TLS_STORE].alproto = ALPROTO_TLS; diff --git a/src/detect-ttl.c b/src/detect-ttl.c index e2534e52c4..2d21799a3f 100644 --- a/src/detect-ttl.c +++ b/src/detect-ttl.c @@ -53,6 +53,8 @@ void DetectTtlRegisterTests (void); void DetectTtlRegister(void) { sigmatch_table[DETECT_TTL].name = "ttl"; + sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value"; + sigmatch_table[DETECT_TTL].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ttl"; sigmatch_table[DETECT_TTL].Match = DetectTtlMatch; sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup; sigmatch_table[DETECT_TTL].Free = DetectTtlFree; diff --git a/src/detect-urilen.c b/src/detect-urilen.c index e8da8e25ee..d974357d29 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -61,6 +61,8 @@ void DetectUrilenRegisterTests (void); void DetectUrilenRegister(void) { sigmatch_table[DETECT_AL_URILEN].name = "urilen"; + sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri"; + sigmatch_table[DETECT_AL_URILEN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#Urilen"; sigmatch_table[DETECT_AL_URILEN].Match = NULL; sigmatch_table[DETECT_AL_URILEN].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_AL_URILEN].AppLayerMatch = NULL /**< We handle this at detect-engine-uri.c now */; diff --git a/src/detect-window.c b/src/detect-window.c index 4d7c7c8988..b265a6d917 100644 --- a/src/detect-window.c +++ b/src/detect-window.c @@ -57,6 +57,8 @@ void DetectWindowFree(void *); */ void DetectWindowRegister (void) { sigmatch_table[DETECT_WINDOW].name = "window"; + sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size"; + sigmatch_table[DETECT_WINDOW].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Window"; sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch; sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup; sigmatch_table[DETECT_WINDOW].Free = DetectWindowFree; diff --git a/src/detect-within.c b/src/detect-within.c index b64ac9dbfb..cacc7c6f06 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -48,6 +48,8 @@ void DetectWithinRegisterTests(void); void DetectWithinRegister (void) { sigmatch_table[DETECT_WITHIN].name = "within"; + sigmatch_table[DETECT_WITHIN].desc = "indicate that this content match has to be within a certain distance of the previous content keyword match"; + sigmatch_table[DETECT_WITHIN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Within"; sigmatch_table[DETECT_WITHIN].Match = NULL; sigmatch_table[DETECT_WITHIN].Setup = DetectWithinSetup; sigmatch_table[DETECT_WITHIN].Free = NULL; diff --git a/src/detect.c b/src/detect.c index 36c72a7d36..caacce6d75 100644 --- a/src/detect.c +++ b/src/detect.c @@ -4576,19 +4576,19 @@ static inline void PrintFeatureList(int flags, char sep) if (flags & SIGMATCH_IPONLY_COMPAT) { if (prev == 1) printf("%c", sep); - printf("IP only rule"); + printf("compatible with IP only rule"); prev = 1; } if (flags & SIGMATCH_DEONLY_COMPAT) { if (prev == 1) printf("%c", sep); - printf("IP only rule"); + printf("compatible with decoder event only rule"); prev = 1; } if (flags & SIGMATCH_PAYLOAD) { if (prev == 1) printf("%c", sep); - printf("payload inspecting rule"); + printf("payload inspecting keyword"); prev = 1; } if (prev == 0) { @@ -4596,6 +4596,21 @@ static inline void PrintFeatureList(int flags, char sep) } } +static inline void SigMultilinePrint(int i, char *prefix) +{ + if (sigmatch_table[i].desc) { + printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc); + } + printf("%sProtocol: %s\n", prefix, + AppLayerGetProtoString(sigmatch_table[i].alproto)); + printf("%sFeatures: ", prefix); + PrintFeatureList(sigmatch_table[i].flags, ','); + if (sigmatch_table[i].url) { + printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url); + } + printf("\n"); +} + void SigTableList(const char *keyword) { size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); @@ -4608,8 +4623,8 @@ void SigTableList(const char *keyword) if (sigmatch_table[i].name != NULL) printf("- %s\n", sigmatch_table[i].name); } - } else if (!strcmp("all", keyword)) { - printf("name;description;app layer;features\n"); + } else if (!strcmp("csv", keyword)) { + printf("name;description;app layer;features;documentation\n"); for (i = 0; i < size; i++) { if (sigmatch_table[i].name != NULL) { printf("%s;", sigmatch_table[i].name); @@ -4618,24 +4633,27 @@ void SigTableList(const char *keyword) } /* Build feature */ printf(";%s;", - TmModuleAlprotoToString(sigmatch_table[i].alproto)); + AppLayerGetProtoString(sigmatch_table[i].alproto)); PrintFeatureList(sigmatch_table[i].flags, ':'); + printf(";"); + if (sigmatch_table[i].url) { + printf("%s", sigmatch_table[i].url); + } + printf(";"); printf("\n"); } } + } else if (!strcmp("all", keyword)) { + for (i = 0; i < size; i++) { + printf("%s:\n", sigmatch_table[i].name); + SigMultilinePrint(i, "\t"); + } } else { for (i = 0; i < size; i++) { if ((sigmatch_table[i].name != NULL) && !strcmp(sigmatch_table[i].name, keyword)) { - printf("%s\n", sigmatch_table[i].name); - if (sigmatch_table[i].desc) { - printf("Description: %s\n", sigmatch_table[i].desc); - } - printf("Protocol: %s\n", - TmModuleAlprotoToString(sigmatch_table[i].alproto)); - printf("Features: "); - PrintFeatureList(sigmatch_table[i].flags, ','); - printf("\n"); + printf("= %s =\n", sigmatch_table[i].name); + SigMultilinePrint(i, ""); } } } diff --git a/src/detect.h b/src/detect.h index 0bbcd54ddc..c56e149bc2 100644 --- a/src/detect.h +++ b/src/detect.h @@ -861,6 +861,7 @@ typedef struct SigTableElmt_ { uint8_t flags; char *name; char *desc; + char *url; } SigTableElmt; diff --git a/src/suricata.c b/src/suricata.c index 1dc188f794..1648627926 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -462,73 +462,73 @@ void usage(const char *progname) printf("%s %s\n", PROG_NAME, PROG_VER); #endif printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname); - printf("\t-c : path to configuration file\n"); - printf("\t-T : test configuration file (use with -c)\n"); - printf("\t-i : run in pcap live mode\n"); - printf("\t-F : bpf filter file\n"); - printf("\t-r : run in pcap file/offline mode\n"); + printf("\t-c : path to configuration file\n"); + printf("\t-T : test configuration file (use with -c)\n"); + printf("\t-i : run in pcap live mode\n"); + printf("\t-F : bpf filter file\n"); + printf("\t-r : run in pcap file/offline mode\n"); #ifdef NFQ - printf("\t-q : run in inline nfqueue mode\n"); + printf("\t-q : run in inline nfqueue mode\n"); #endif /* NFQ */ #ifdef IPFW - printf("\t-d : run in inline ipfw divert mode\n"); + printf("\t-d : run in inline ipfw divert mode\n"); #endif /* IPFW */ - printf("\t-s : path to signature file loaded in addition to suricata.yaml settings (optional)\n"); - printf("\t-S : path to signature file loaded exclusively (optional)\n"); - printf("\t-l : default log directory\n"); + printf("\t-s : path to signature file loaded in addition to suricata.yaml settings (optional)\n"); + printf("\t-S : path to signature file loaded exclusively (optional)\n"); + printf("\t-l : default log directory\n"); #ifndef OS_WIN32 - printf("\t-D : run as daemon\n"); + printf("\t-D : run as daemon\n"); #else - printf("\t--service-install : install as service\n"); - printf("\t--service-remove : remove service\n"); - printf("\t--service-change-params : change service startup parameters\n"); + printf("\t--service-install : install as service\n"); + printf("\t--service-remove : remove service\n"); + printf("\t--service-change-params : change service startup parameters\n"); #endif /* OS_WIN32 */ - printf("\t-V : display Suricata version\n"); + printf("\t-V : display Suricata version\n"); #ifdef UNITTESTS - printf("\t-u : run the unittests and exit\n"); - printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n"); - printf("\t--list-unittests : list unit tests\n"); - printf("\t--fatal-unittests : enable fatal failure on unittest error\n"); + printf("\t-u : run the unittests and exit\n"); + printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n"); + printf("\t--list-unittests : list unit tests\n"); + printf("\t--fatal-unittests : enable fatal failure on unittest error\n"); #endif /* UNITTESTS */ - printf("\t--list-app-layer-protos : list supported app layer protocols\n"); - printf("\t--list-keywords[=any|]: list keywords implemented by the engine\n"); + printf("\t--list-app-layer-protos : list supported app layer protocols\n"); + printf("\t--list-keywords[=all|csv|] : list keywords implemented by the engine\n"); #ifdef __SC_CUDA_SUPPORT__ - printf("\t--list-cuda-cards : list cuda supported cards\n"); -#endif - printf("\t--list-runmodes : list supported runmodes\n"); - printf("\t--runmode : specific runmode modification the engine should run. The argument\n" - "\t supplied should be the id for the runmode obtained by running\n" - "\t --list-runmodes\n"); - printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n" - "\t Please have a look at the conf parameter engine-analysis on what reports\n" - "\t can be printed\n"); - printf("\t--pidfile : write pid to this file (only for daemon mode)\n"); - printf("\t--init-errors-fatal : enable fatal failure on signature init error\n"); - printf("\t--dump-config : show the running configuration\n"); - printf("\t--build-info : display build information\n"); - printf("\t--pcap[=] : run in pcap mode, no value select interfaces from suricata.yaml\n"); + printf("\t--list-cuda-cards : list cuda supported cards\n"); +#endif + printf("\t--list-runmodes : list supported runmodes\n"); + printf("\t--runmode : specific runmode modification the engine should run. The argument\n" + "\t supplied should be the id for the runmode obtained by running\n" + "\t --list-runmodes\n"); + printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n" + "\t Please have a look at the conf parameter engine-analysis on what reports\n" + "\t can be printed\n"); + printf("\t--pidfile : write pid to this file (only for daemon mode)\n"); + printf("\t--init-errors-fatal : enable fatal failure on signature init error\n"); + printf("\t--dump-config : show the running configuration\n"); + printf("\t--build-info : display build information\n"); + printf("\t--pcap[=] : run in pcap mode, no value select interfaces from suricata.yaml\n"); #ifdef HAVE_PCAP_SET_BUFF - printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX); + printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX); #endif /* HAVE_SET_PCAP_BUFF */ #ifdef HAVE_AF_PACKET - printf("\t--af-packet[=] : run in af-packet mode, no value select interfaces from suricata.yaml\n"); + printf("\t--af-packet[=] : run in af-packet mode, no value select interfaces from suricata.yaml\n"); #endif #ifdef HAVE_PFRING - printf("\t--pfring[=] : run in pfring mode, use interfaces from suricata.yaml\n"); - printf("\t--pfring-int : run in pfring mode, use interface \n"); - printf("\t--pfring-cluster-id : pfring cluster id \n"); - printf("\t--pfring-cluster-type : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n"); + printf("\t--pfring[=] : run in pfring mode, use interfaces from suricata.yaml\n"); + printf("\t--pfring-int : run in pfring mode, use interface \n"); + printf("\t--pfring-cluster-id : pfring cluster id \n"); + printf("\t--pfring-cluster-type : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n"); #endif /* HAVE_PFRING */ #ifdef HAVE_LIBCAP_NG - printf("\t--user : run suricata as this user after init\n"); - printf("\t--group : run suricata as this group after init\n"); + printf("\t--user : run suricata as this user after init\n"); + printf("\t--group : run suricata as this group after init\n"); #endif /* HAVE_LIBCAP_NG */ - printf("\t--erf-in : process an ERF file\n"); + printf("\t--erf-in : process an ERF file\n"); #ifdef HAVE_DAG - printf("\t--dag : process ERF records from DAG interface X, stream Y\n"); + printf("\t--dag : process ERF records from DAG interface X, stream Y\n"); #endif #ifdef HAVE_NAPATECH - printf("\t--napatech : run Napatech Streams using the API\n"); + printf("\t--napatech : run Napatech Streams using the API\n"); #endif printf("\n"); printf("\nTo run the engine with default configuration on " @@ -921,7 +921,9 @@ int main(int argc, char **argv) exit(EXIT_SUCCESS); } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) { if (optarg) { - keyword_info = optarg; + if (strcmp("short",optarg)) { + keyword_info = optarg; + } } } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) { runmode_custom_mode = optarg;