From: Ralph Broenink Date: Sat, 14 Oct 2017 10:19:33 +0000 (+0200) Subject: doc: Restructure ToC X-Git-Tag: suricata-4.1.0-beta1~500 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=722cff1862c54cb3555478af2c02868ca6470284;p=thirdparty%2Fsuricata.git doc: Restructure ToC * All sections up to 2 levels deep are now shown regardless of whether they are a separate page * Rename Xbits and Thresholding for more consistent naming * Minor adjustment in the Payload Keywords section --- diff --git a/doc/userguide/index.rst b/doc/userguide/index.rst index 13f4f6838f..900c6e7fb6 100644 --- a/doc/userguide/index.rst +++ b/doc/userguide/index.rst @@ -3,7 +3,7 @@ Suricata User Guide .. toctree:: :numbered: - :titlesonly: + :maxdepth: 2 what-is-suricata install.rst diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst index 6be1d0ca9c..2b8924c152 100644 --- a/doc/userguide/rules/index.rst +++ b/doc/userguide/rules/index.rst @@ -8,16 +8,16 @@ Suricata Rules header-keywords payload-keywords prefilter-keywords - http-keywords flow-keywords - xbits + http-keywords file-keywords - thresholding dns-keywords tls-keywords modbus-keyword dnp3-keywords enip-keyword app-layer + xbits + thresholding rule-lua-scripting differences-from-snort diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index d299a13ead..e2e4d42a6b 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -60,14 +60,10 @@ A few examples:: It is possible to let a signature check the whole payload for a match with the content or to let it check specific parts of the payload. We come to that later. If you add nothing special to the signature, it will try to find a match in all the bytes of the payload. -Example: - .. container:: example-rule drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; :example-rule-emphasis:`content:"NICK ";` pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) -In this example, the red, bold-faced part is the content. - By default the pattern-matching is case sensitive. The content has to be accurate, otherwise there will not be a match. @@ -251,7 +247,7 @@ example of dsize in a rule: alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) rpc ----- +--- The rpc keyword can be used to match in the SUNRPC CALL on the RPC procedure numbers and the RPC version. diff --git a/doc/userguide/rules/thresholding.rst b/doc/userguide/rules/thresholding.rst index 196f20a340..3d83859385 100644 --- a/doc/userguide/rules/thresholding.rst +++ b/doc/userguide/rules/thresholding.rst @@ -1,5 +1,5 @@ -Rule Thresholding -================= +Thresholding Keywords +===================== Thresholding can be configured per rule and also globally, see :doc:`../configuration/global-thresholds`. diff --git a/doc/userguide/rules/xbits.rst b/doc/userguide/rules/xbits.rst index e574e3fcf3..3f77ca8506 100644 --- a/doc/userguide/rules/xbits.rst +++ b/doc/userguide/rules/xbits.rst @@ -1,5 +1,5 @@ -Xbits -===== +Xbits Keyword +============= Set, unset, toggle and check for bits stored per host or ip_pair.