From: Jeff Lucovsky Date: Mon, 8 Apr 2019 22:52:55 +0000 (-0700) Subject: documentation: sticky buffer updates X-Git-Tag: suricata-5.0.0-beta1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97fc7c1e1aa40a0add4813e486b6490bd95d4a88;p=thirdparty%2Fsuricata.git documentation: sticky buffer updates This changeset updates the userguide for the TLS and JA3 keywords that have been renamed from _ to --- diff --git a/doc/userguide/rules/ja3-keywords.rst b/doc/userguide/rules/ja3-keywords.rst index d210bf64bc..904cfd9a7a 100644 --- a/doc/userguide/rules/ja3-keywords.rst +++ b/doc/userguide/rules/ja3-keywords.rst @@ -5,7 +5,7 @@ Suricata comes with a JA3 integration (https://github.com/salesforce/ja3). JA3 i JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes'). -ja3_hash +ja3.hash -------- Match on JA3 hash (md5). @@ -13,14 +13,18 @@ Match on JA3 hash (md5). Example:: alert tls any any -> any any (msg:"match JA3 hash"; \ - ja3_hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \ + ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; \ sid:100001;) -``ja3_hash`` is a 'Sticky buffer'. +``ja3.hash`` is a 'Sticky buffer'. -``ja3_hash`` can be used as ``fast_pattern``. +``ja3.hash`` can be used as ``fast_pattern``. -ja3_string +``ja3.hash`` replaces the previous keyword name: ``ja3_hash``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. + +ja3.string ---------- Match on JA3 string. @@ -28,9 +32,13 @@ Match on JA3 string. Example:: alert tls any any -> any any (msg:"match JA3 string"; \ - ja3_string; content:"19-20-21-22"; \ + ja3.string; content:"19-20-21-22"; \ sid:100002;) -``ja3_string`` is a 'Sticky buffer'. +``ja3.string`` is a 'Sticky buffer'. + +``ja3.string`` can be used as ``fast_pattern``. -``ja3_string`` can be used as ``fast_pattern``. +``ja3.string`` replaces the previous keyword name: ``ja3_string``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. diff --git a/doc/userguide/rules/tls-keywords.rst b/doc/userguide/rules/tls-keywords.rst index 0debdbcf23..949379ec2c 100644 --- a/doc/userguide/rules/tls-keywords.rst +++ b/doc/userguide/rules/tls-keywords.rst @@ -3,35 +3,43 @@ SSL/TLS Keywords Suricata comes with several rule keywords to match on various properties of TLS/SSL handshake. Matches are string inclusion matches. -tls_cert_subject +tls.cert_subject ---------------- Match TLS/SSL certificate Subject field. Examples:: - tls_cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative; - tls_cert_subject; content:"google.com"; nocase; pcre:"/google.com$/"; + tls.cert_subject; content:"CN=*.googleusercontent.com"; isdataat:!1,relative; + tls.cert_subject; content:"google.com"; nocase; pcre:"/google.com$/"; -``tls_cert_subject`` is a 'Sticky buffer'. +``tls.cert_subject`` is a 'Sticky buffer'. -``tls_cert_subject`` can be used as ``fast_pattern``. +``tls.cert_subject`` can be used as ``fast_pattern``. -tls_cert_issuer +``tls.cert_subject`` replaces the previous keyword name: ``tls_cert_subject``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. + +tls.cert_issuer --------------- Match TLS/SSL certificate Issuer field. Examples:: - tls_cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative; - tls_cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/"; + tls.cert_issuer; content:"WoSign"; nocase; isdataat:!1,relative; + tls.cert_issuer; content:"StartCom"; nocase; pcre:"/StartCom$/"; + +``tls.cert_issuer`` is a 'Sticky buffer'. -``tls_cert_issuer`` is a 'Sticky buffer'. +``tls.cert_issuer`` can be used as ``fast_pattern``. -``tls_cert_issuer`` can be used as ``fast_pattern``. +``tls.cert_issuer`` replaces the previous keyword name: ``tls_cert_issuer``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. -tls_cert_serial +tls.cert_serial --------------- Match on the serial number in a certificate. @@ -39,13 +47,17 @@ Match on the serial number in a certificate. Example:: alert tls any any -> any any (msg:"match cert serial"; \ - tls_cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;) + tls.cert_serial; content:"5C:19:B7:B1:32:3B:1C:A1"; sid:200012;) + +``tls.cert_serial`` is a 'Sticky buffer'. -``tls_cert_serial`` is a 'Sticky buffer'. +``tls.cert_serial`` can be used as ``fast_pattern``. -``tls_cert_serial`` can be used as ``fast_pattern``. +``tls.cert_serial`` replaces the previous keyword name: ``tls_cert_serial``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. -tls_cert_fingerprint +tls.cert_fingerprint -------------------- Match on the SHA-1 fingerprint of the certificate. @@ -53,27 +65,35 @@ Match on the SHA-1 fingerprint of the certificate. Example:: alert tls any any -> any any (msg:"match cert fingerprint"; \ - tls_cert_fingerprint; \ + tls.cert_fingerprint; \ content:"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18"; \ sid:200023;) -``tls_cert_fingerprint`` is a 'Sticky buffer'. +``tls.cert_fingerprint`` is a 'Sticky buffer'. -``tls_cert_fingerprint`` can be used as ``fast_pattern``. +``tls.cert_fingerprint`` can be used as ``fast_pattern``. -tls_sni +``tls.cert_fingerprint`` replaces the previous keyword name: ``tls_cert_fingerprint`` may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. + +tls.sni ------- Match TLS/SSL Server Name Indication field. Examples:: - tls_sni; content:"oisf.net"; nocase; isdataat:!1,relative; - tls_sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/"; + tls.sni; content:"oisf.net"; nocase; isdataat:!1,relative; + tls.sni; content:"oisf.net"; nocase; pcre:"/oisf.net$/"; + +``tls.sni`` is a 'Sticky buffer'. -``tls_sni`` is a 'Sticky buffer'. +``tls.sni`` can be used as ``fast_pattern``. -``tls_sni`` can be used as ``fast_pattern``. +``tls.sni`` replaces the previous keyword name: ``tls_sni``. You may continue +to use the previous name, but it's recommended that rules be converted to use +the new name. tls_cert_notbefore ------------------ @@ -166,7 +186,7 @@ example: Case sensitive, can't use 'nocase'. -Legacy keyword. ``tls_cert_subject`` is the replacement. +Legacy keyword. ``tls.cert_subject`` is the replacement. tls.issuerdn ------------ @@ -182,7 +202,7 @@ example: Case sensitive, can't use 'nocase'. -Legacy keyword. ``tls_cert_issuer`` is the replacement. +Legacy keyword. ``tls.cert_issuer`` is the replacement. tls.fingerprint ---------------