From: Ralph Broenink Date: Sat, 14 Oct 2017 09:37:42 +0000 (+0200) Subject: doc: Replace images of tables and rules with text in rules docs X-Git-Tag: suricata-4.1.0-beta1~511 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a52aacb4ea71415ab82cdaadc823c9e4652e0e0c;p=thirdparty%2Fsuricata.git doc: Replace images of tables and rules with text in rules docs In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis. Additionally, some tables embedded into images were also replaced by reST tables. --- diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst index 89fac2509e..1e453863f5 100644 --- a/doc/userguide/rules/header-keywords.rst +++ b/doc/userguide/rules/header-keywords.rst @@ -1,5 +1,6 @@ Header Keywords =============== +.. role:: example-rule-emphasis IP-keywords ----------- @@ -27,7 +28,9 @@ routing loops. Example of the ttl keyword in a rule: -.. image:: header-keywords/ttl.png +.. container:: example-rule + + alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;) Ipopts ^^^^^^ @@ -37,7 +40,20 @@ set. Ipopts has to be used at the beginning of a rule. You can only match on one option per rule. There are several options on which can be matched. These are: -.. image:: header-keywords/ipopts.png +========= ============================= +IP Option Description +========= ============================= +rr Record Route +eol End of List +nop No Op +ts Time Stamp +sec IP Security +esec IP Extended Security +lsrr Loose Source Routing +ssrr Strict Source Routing +satid Stream Identifier +any any IP options are set +========= ============================= Format of the ipopts keyword:: @@ -49,7 +65,9 @@ For example:: Example of ipopts in a rule: -.. image:: header-keywords/ipopts_rule.png +.. container:: example-rule + + alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; :example-rule-emphasis:`ipopts:ssrr;` reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;) sameip ^^^^^^ @@ -64,7 +82,9 @@ keyword is:: Example of sameip in a rule: -.. image:: header-keywords/sameip.png +.. container:: example-rule + + alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; :example-rule-emphasis:`sameip;` reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;) ip_proto ^^^^^^^^ @@ -86,7 +106,9 @@ http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers Example of ip_proto in a rule: -.. image:: header-keywords/ip_proto.png +.. container:: example-rule + + alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;) The named variante of that example would be:: @@ -110,7 +132,9 @@ Format of id:: Example of id in a rule: -.. image:: header-keywords/id.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;) Geoip ^^^^^ @@ -174,7 +198,9 @@ Format:: Example of fragbits in a rule: -.. image:: header-keywords/fragbits.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Fragoffset ^^^^^^^^^^ @@ -199,7 +225,9 @@ Format of fragoffset:: Example of fragoffset in a rule: -.. image:: header-keywords/fragoffset.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: M; :example-rule-emphasis:`fragoffset: >0;` reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) TCP keywords ------------ @@ -226,7 +254,9 @@ Example:: Example of seq in a signature: -.. image:: header-keywords/seq.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; :example-rule-emphasis:`seq:0;` reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;) Example of seq in a packet (Wireshark): @@ -249,7 +279,9 @@ Format of ack:: Example of ack in a signature: -.. image:: header-keywords/ack.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; :example-rule-emphasis:`ack:0;` flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;) Example of ack in a packet (Wireshark): @@ -275,7 +307,9 @@ The format of the window keyword:: Example of window in a rule: -.. image:: header-keywords/Window.png +.. container:: example-rule + + alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) ICMP keywords ------------- @@ -316,7 +350,44 @@ This example looks for an ICMP type greater than 10:: Example of the itype keyword in a signature: -.. image:: header-keywords/icmp_type.png +.. container:: example-rule + + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; :example-rule-emphasis:`itype:8;` classtype:attempted-recon; sid:2100478; rev:4;) + +The following lists all ICMP types known at the time of writing. A recent table can be found `at the website of IANA `_ + +========== ========================================================== +ICMP Type Name +========== ========================================================== +0 Echo Reply +3 Destination Unreachable +4 Source Quench +5 Redirect +6 Alternate Host Address +8 Echo +9 Router Advertisement +10 Router Solicitation +11 Time Exceeded +12 Parameter Problem +13 Timestamp +14 Timestamp Reply +15 Information Request +16 Information Reply +17 Address Mask Request +18 Address Mask Reply +30 Traceroute +31 Datagram Conversion Error +32 Mobile Host Redirect +33 IPv6 Where-Are-You +34 IPv6 I-Am-Here +35 Mobile Registration Request +36 Mobile Registration Reply +37 Domain Name Request +38 Domain Name Reply +39 SKIP +40 Photuris +41 Experimental mobility protocols such as Seamoby +========== ========================================================== icode ^^^^^ @@ -338,7 +409,51 @@ This example looks for an ICMP code greater than 5:: Example of the icode keyword in a rule: -.. image:: header-keywords/icode.png +.. container:: example-rule + + alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; :example-rule-emphasis:`icode:0;` itype:11; classtype:misc-activity; sid:2100449; rev:7;) + +The following lists the meaning of all ICMP types. When a code is not listed, +only type 0 is defined and has the meaning of the ICMP code, in the table above. +A recent table can be found `at the website of IANA `_ + +========== ========== ========================================================================= +ICMP Code ICMP Type Description +========== ========== ========================================================================= +3 - 0 - Net Unreachable + - 1 - Host Unreachable + - 2 - Protocol Unreachable + - 3 - Port Unreachable + - 4 - Fragmentation Needed and Don't Fragment was Set + - 5 - Source Route Failed + - 6 - Destination Network Unknown + - 7 - Destination Host Unknown + - 8 - Source Host Isolated + - 9 - Communication with Destination Network is Administratively Prohibited + - 10 - Communication with Destination Host is Administratively Prohibited + - 11 - Destination Network Unreachable for Type of Service + - 12 - Destination Host Unreachable for Type of Service + - 13 - Communication Administratively Prohibited + - 14 - Host Precedence Violation + - 15 - Precedence cutoff in effect +5 - 0 - Redirect Datagram for the Network (or subnet) + - 1 - Redirect Datagram for the Host + - 2 - Redirect Datagram for the Type of Service and Network + - 3 - Redirect Datagram for the Type of Service and Host +9 - 0 - Normal router advertisement + - 16 - Doest not route common traffic +11 - 0 - Time to Live exceeded in Transit + - 1 - Fragment Reassembly Time Exceeded +12 - 0 - Pointer indicates the error + - 1 - Missing a Required Option + - 2 - Bad Length +40 - 0 - Bad SPI + - 1 - Authentication Failed + - 2 - Decompression Failed + - 3 - Decryption Failed + - 4 - Need Authentication + - 5 - Need Authorization +========== ========== ========================================================================= icmp_id ^^^^^^^ @@ -360,7 +475,9 @@ This example looks for an ICMP ID of 0:: Example of the icmp_id keyword in a rule: -.. image:: header-keywords/icmp_id.png +.. container:: example-rule + + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; :example-rule-emphasis:`icmp_id:0;` icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4;) icmp_seq ^^^^^^^^ @@ -381,12 +498,6 @@ This example looks for an ICMP Sequence of 0:: Example of icmp_seq in a rule: -.. image:: header-keywords/icmp_seq.png - -Message types and numbers: - -.. image:: header-keywords/ICMP_types.png - -Meaning of type-numbers en codes combined: +.. container:: example-rule -.. image:: header-keywords/ICMP_type_code.png + alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;) diff --git a/doc/userguide/rules/header-keywords/ICMP_type_code.png b/doc/userguide/rules/header-keywords/ICMP_type_code.png deleted file mode 100644 index e14239e84e..0000000000 Binary files a/doc/userguide/rules/header-keywords/ICMP_type_code.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ICMP_types.png b/doc/userguide/rules/header-keywords/ICMP_types.png deleted file mode 100644 index a1589d8d89..0000000000 Binary files a/doc/userguide/rules/header-keywords/ICMP_types.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/Window.png b/doc/userguide/rules/header-keywords/Window.png deleted file mode 100644 index 1d1a53ee10..0000000000 Binary files a/doc/userguide/rules/header-keywords/Window.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ack.png b/doc/userguide/rules/header-keywords/ack.png deleted file mode 100644 index b5bd788c7e..0000000000 Binary files a/doc/userguide/rules/header-keywords/ack.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/fragbits.png b/doc/userguide/rules/header-keywords/fragbits.png deleted file mode 100644 index 30d497f1eb..0000000000 Binary files a/doc/userguide/rules/header-keywords/fragbits.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/fragoffset.png b/doc/userguide/rules/header-keywords/fragoffset.png deleted file mode 100644 index a5c1ecec7f..0000000000 Binary files a/doc/userguide/rules/header-keywords/fragoffset.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_id.png b/doc/userguide/rules/header-keywords/icmp_id.png deleted file mode 100644 index 6db0c5828f..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_id.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_seq.png b/doc/userguide/rules/header-keywords/icmp_seq.png deleted file mode 100644 index bcfcdc7041..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_seq.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icmp_type.png b/doc/userguide/rules/header-keywords/icmp_type.png deleted file mode 100644 index 7ca579e458..0000000000 Binary files a/doc/userguide/rules/header-keywords/icmp_type.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/icode.png b/doc/userguide/rules/header-keywords/icode.png deleted file mode 100644 index 3535e55ac0..0000000000 Binary files a/doc/userguide/rules/header-keywords/icode.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/id.png b/doc/userguide/rules/header-keywords/id.png deleted file mode 100644 index 0285b8e403..0000000000 Binary files a/doc/userguide/rules/header-keywords/id.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ip_proto.png b/doc/userguide/rules/header-keywords/ip_proto.png deleted file mode 100644 index 1e5bc503d9..0000000000 Binary files a/doc/userguide/rules/header-keywords/ip_proto.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ipopts.png b/doc/userguide/rules/header-keywords/ipopts.png deleted file mode 100644 index 666c178427..0000000000 Binary files a/doc/userguide/rules/header-keywords/ipopts.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ipopts_rule.png b/doc/userguide/rules/header-keywords/ipopts_rule.png deleted file mode 100644 index c0f817ab80..0000000000 Binary files a/doc/userguide/rules/header-keywords/ipopts_rule.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/sameip.png b/doc/userguide/rules/header-keywords/sameip.png deleted file mode 100644 index 56e0f32f62..0000000000 Binary files a/doc/userguide/rules/header-keywords/sameip.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/seq.png b/doc/userguide/rules/header-keywords/seq.png deleted file mode 100644 index aa0cea5367..0000000000 Binary files a/doc/userguide/rules/header-keywords/seq.png and /dev/null differ diff --git a/doc/userguide/rules/header-keywords/ttl.png b/doc/userguide/rules/header-keywords/ttl.png deleted file mode 100644 index 3b18792aef..0000000000 Binary files a/doc/userguide/rules/header-keywords/ttl.png and /dev/null differ diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 6d38460b97..543ec9b3ba 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -2,6 +2,7 @@ HTTP Keywords ============= +.. role:: example-rule-emphasis There are additional content modifiers that can provide protocol-specific capabilities at the application layer. More information can be found at @@ -193,7 +194,9 @@ request URI buffer. Example of ``uricontent``: -.. image:: http-keywords/uricontent.png +.. container:: example-rule + + alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; :example-rule-emphasis:`uricontent:"/frame.html?";` urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;) The difference between ``http_uri`` and ``uricontent`` is the syntax: @@ -229,7 +232,9 @@ Example: Example of ``urilen`` in a signature: -.. image:: http-keywords/urilen1.png +.. container:: example-rule + + alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; :example-rule-emphasis:`urilen: > 80;` classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;) You can also append ``norm`` or ``raw`` to define what sort of buffer you want to use (normalized or raw buffer). diff --git a/doc/userguide/rules/http-keywords/uricontent.png b/doc/userguide/rules/http-keywords/uricontent.png deleted file mode 100644 index b9e8aad274..0000000000 Binary files a/doc/userguide/rules/http-keywords/uricontent.png and /dev/null differ diff --git a/doc/userguide/rules/http-keywords/urilen1.png b/doc/userguide/rules/http-keywords/urilen1.png deleted file mode 100644 index 8a11075fca..0000000000 Binary files a/doc/userguide/rules/http-keywords/urilen1.png and /dev/null differ diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst index fb20a1c7ec..507d5b528f 100644 --- a/doc/userguide/rules/intro.rst +++ b/doc/userguide/rules/intro.rst @@ -15,9 +15,20 @@ A rule/signature consists of the following: The action, header and rule-options. +.. role:: example-rule-action +.. role:: example-rule-header +.. role:: example-rule-options +.. role:: example-rule-emphasis + Example of a signature: -.. image:: intro/intro_sig.png +.. container:: example-rule + + :example-rule-action:`drop` :example-rule-header:`tcp $HOME_NET any -> $EXTERNAL_NET any` :example-rule-options:`(msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)` + +In this example, :example-rule-action:`red` is the action, +:example-rule-header:`green` is the header and :example-rule-options:`blue` +are the options. Action ------ @@ -25,11 +36,9 @@ Action For more information read 'Action Order' see :ref:`suricata-yaml-action-order`. -Example: - -.. image:: intro/action.png +.. container:: example-rule -In this example the red, bold-faced part is the action. + :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) Protocol -------- @@ -45,7 +54,9 @@ match if it concerns http-traffic. Example: -.. image:: intro/protocol.png +.. container:: example-rule + + drop :example-rule-emphasis:`tcp` $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the protocol. @@ -83,13 +94,11 @@ You can not write a signature using EXTERNAL_NET because it stands for Example of source and destination in a signature: -.. image:: intro/Source.png +.. container:: example-rule -The red, bold-faced part is the source. + drop tcp :example-rule-emphasis:`$HOME_NET` any -> :example-rule-emphasis:`$EXTERNAL_NET` any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) -.. image:: intro/destination.png - -The red, bold-faced part is the destination. +*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).* Ports (source-and destination-port) ----------------------------------- @@ -120,10 +129,11 @@ Example:: Example of ports in a signature: -.. image:: intro/Source-port.png +.. container:: example-rule + drop tcp $HOME_NET :example-rule-emphasis:`any` -> $EXTERNAL_NET :example-rule-emphasis:`any` (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) -.. image:: intro/Dest_port.png +*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).* In this example, the red, bold-faced part is the port. @@ -152,7 +162,9 @@ same order/direction as the payload. Example of direction in a signature: -.. image:: intro/Direction.png +.. container:: example-rule + + drop tcp $HOME_NET any :example-rule-emphasis:`->` $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the direction. diff --git a/doc/userguide/rules/intro/Dest_port.png b/doc/userguide/rules/intro/Dest_port.png deleted file mode 100644 index 43e04147b8..0000000000 Binary files a/doc/userguide/rules/intro/Dest_port.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Direction.png b/doc/userguide/rules/intro/Direction.png deleted file mode 100644 index bdd2378e9f..0000000000 Binary files a/doc/userguide/rules/intro/Direction.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Source-port.png b/doc/userguide/rules/intro/Source-port.png deleted file mode 100644 index c046c49a53..0000000000 Binary files a/doc/userguide/rules/intro/Source-port.png and /dev/null differ diff --git a/doc/userguide/rules/intro/Source.png b/doc/userguide/rules/intro/Source.png deleted file mode 100644 index d0d1baaa38..0000000000 Binary files a/doc/userguide/rules/intro/Source.png and /dev/null differ diff --git a/doc/userguide/rules/intro/action.png b/doc/userguide/rules/intro/action.png deleted file mode 100644 index 4d67d152b0..0000000000 Binary files a/doc/userguide/rules/intro/action.png and /dev/null differ diff --git a/doc/userguide/rules/intro/destination.png b/doc/userguide/rules/intro/destination.png deleted file mode 100644 index 3fc44dbc67..0000000000 Binary files a/doc/userguide/rules/intro/destination.png and /dev/null differ diff --git a/doc/userguide/rules/intro/intro_sig.png b/doc/userguide/rules/intro/intro_sig.png deleted file mode 100644 index b726fc5dcb..0000000000 Binary files a/doc/userguide/rules/intro/intro_sig.png and /dev/null differ diff --git a/doc/userguide/rules/intro/protocol.png b/doc/userguide/rules/intro/protocol.png deleted file mode 100644 index 2e0ef370a9..0000000000 Binary files a/doc/userguide/rules/intro/protocol.png and /dev/null differ diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 15edb28616..1feee768c2 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -1,6 +1,8 @@ Meta-settings ============= +.. role:: example-rule-emphasis + Meta-settings have no effect on Suricata's inspection; they do have an effect on the way Suricata reports events. msg (message) @@ -26,6 +28,10 @@ It is a convention that msg is always the first keyword of a signature. Another example of msg in a signature: +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (:example-rule-emphasis:`msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)";` flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) + In this example the red, bold-faced part is the msg. .. note:: The following characters must be escaped inside the msg: @@ -44,7 +50,9 @@ The format of sid is: Example of sid in a signature: -.. image:: meta/sid.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; :example-rule-emphasis:`sid:2008124;` rev:2;) In this example the red, bold-faced part is the sid. @@ -65,7 +73,9 @@ of all keywords.* Example of rev in a signature: -.. image:: meta/rev.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; :example-rule-emphasis:`rev:2;`) In this example the red, bold-faced part is the rev. @@ -80,7 +90,10 @@ the alert. Example of gid in a signature: -.. image:: meta/gid.png +.. container:: example-rule + + 10/15/09-03:30:10.219671 [**] [:example-rule-emphasis:`1`:2008124:2] ET TROJAN Likely Bot Nick in IRC (USA +..) [**] [Classification: A Network Trojan was Detected] + [Priority: 3] {TCP} 192.168.1.42:1028 -> 72.184.196.31:6667 This is an example from the fast.log. In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev). @@ -102,14 +115,21 @@ Example classtype:: config classification: web-application-attack,Web Application Attack,1 config classification: not-suspicious,Not Suspicious Traffic,3 -.. image:: meta/classification.png +======================= ====================== =========== +classtype Alert Priority +======================= ====================== =========== +web-application-attack Web Application Attack 1 +not-suspicious Not Suspicious Traffic 3 +======================= ====================== =========== In this example you see how classtype appears in signatures, the classification.config and the alert. Another example of classtype in a signature: -.. image:: meta/classtype.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; :example-rule-emphasis:`classtype:trojan-activity;` sid:2008124; rev:2;) In this example the red, bold-faced part is the classtype. @@ -152,7 +172,9 @@ For example bugtraq will be replaced by the full url: Example of reference in a signature: -.. image:: meta/reference.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; :example-rule-emphasis:`reference:url,doc.emergingthreats.net/2008124;` classtype:trojan-activity; sid:2008124; rev:2;) In this example the red, bold-faced part is the action. diff --git a/doc/userguide/rules/meta/classification.png b/doc/userguide/rules/meta/classification.png deleted file mode 100644 index 456b1ee30a..0000000000 Binary files a/doc/userguide/rules/meta/classification.png and /dev/null differ diff --git a/doc/userguide/rules/meta/classtype.png b/doc/userguide/rules/meta/classtype.png deleted file mode 100644 index 3d891943d2..0000000000 Binary files a/doc/userguide/rules/meta/classtype.png and /dev/null differ diff --git a/doc/userguide/rules/meta/gid.png b/doc/userguide/rules/meta/gid.png deleted file mode 100644 index 051eecbf5d..0000000000 Binary files a/doc/userguide/rules/meta/gid.png and /dev/null differ diff --git a/doc/userguide/rules/meta/msg.png b/doc/userguide/rules/meta/msg.png deleted file mode 100644 index 8d1e1beeb9..0000000000 Binary files a/doc/userguide/rules/meta/msg.png and /dev/null differ diff --git a/doc/userguide/rules/meta/reference.png b/doc/userguide/rules/meta/reference.png deleted file mode 100644 index 8ed3057ef8..0000000000 Binary files a/doc/userguide/rules/meta/reference.png and /dev/null differ diff --git a/doc/userguide/rules/meta/rev.png b/doc/userguide/rules/meta/rev.png deleted file mode 100644 index d6f039fbdb..0000000000 Binary files a/doc/userguide/rules/meta/rev.png and /dev/null differ diff --git a/doc/userguide/rules/meta/sid.png b/doc/userguide/rules/meta/sid.png deleted file mode 100644 index 7952641d64..0000000000 Binary files a/doc/userguide/rules/meta/sid.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 42b6f70d01..47d44f9a3a 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -1,5 +1,6 @@ Payload Keywords ================ +.. role:: example-rule-emphasis .. toctree:: :maxdepth: 2 @@ -67,7 +68,9 @@ If you add nothing special to the signature, it will try to find a match in all Example: -.. image:: payload-keywords/content.png +.. container:: example-rule + + drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; :example-rule-emphasis:`content:"NICK ";` pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;) In this example, the red, bold-faced part is the content. @@ -249,7 +252,9 @@ Format:: example of dsize in a rule: -.. image:: payload-keywords/dsize.png +.. container:: example-rule + + alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) rpc ---- @@ -271,7 +276,9 @@ Format:: Example of the rpc keyword in a rule: -.. image:: payload-keywords/rpc.png +.. container:: example-rule + + alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) Replace ------- diff --git a/doc/userguide/rules/payload-keywords/content.png b/doc/userguide/rules/payload-keywords/content.png deleted file mode 100644 index 267f9ee511..0000000000 Binary files a/doc/userguide/rules/payload-keywords/content.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords/dsize.png b/doc/userguide/rules/payload-keywords/dsize.png deleted file mode 100644 index 5973f9d2a8..0000000000 Binary files a/doc/userguide/rules/payload-keywords/dsize.png and /dev/null differ diff --git a/doc/userguide/rules/payload-keywords/rpc.png b/doc/userguide/rules/payload-keywords/rpc.png deleted file mode 100644 index f5965eb8f3..0000000000 Binary files a/doc/userguide/rules/payload-keywords/rpc.png and /dev/null differ