From: Ralph Broenink Date: Sat, 14 Oct 2017 10:02:55 +0000 (+0200) Subject: doc: Move fast_pattern and prefilter to dedicated page X-Git-Tag: suricata-4.1.0-beta1~505 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb1bf2643d7e545777fef28b8cc6fe8134947a0d;p=thirdparty%2Fsuricata.git doc: Move fast_pattern and prefilter to dedicated page --- diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst index 2dcb45ec9e..5c26a0815e 100644 --- a/doc/userguide/rules/differences-from-snort.rst +++ b/doc/userguide/rules/differences-from-snort.rst @@ -561,7 +561,7 @@ Fast Pattern when doing fast pattern matching, something the other algorithims and Snort do not do. -- :doc:`fast-pattern` +- :ref:`rules-keyword-fast_pattern` Don't Cross The Streams ----------------------- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 784b212e1b..8f3a545d8a 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -706,9 +706,3 @@ pcre ---- For information about the ``pcre`` keyword, check the :doc:`pcre` page. - -fast_pattern ------------- - -For information about the ``fast_pattern`` keyword, check the -:doc:`fast-pattern` page. diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst index d741c8a831..35921c7e01 100644 --- a/doc/userguide/rules/index.rst +++ b/doc/userguide/rules/index.rst @@ -6,8 +6,8 @@ Suricata Rules intro meta header-keywords - prefilter payload-keywords + prefilter-keywords http-keywords flow-keywords flowint diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index ab845bf23b..19c19978fd 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -6,7 +6,6 @@ Payload Keywords :maxdepth: 2 pcre - fast-pattern Payload keywords inspect the content of the payload of a packet or stream. @@ -303,8 +302,3 @@ pcre ---- For information about pcre check the :doc:`pcre` page. - -fast_pattern ------------- - -For information about fast_pattern check the :doc:`fast-pattern` page. diff --git a/doc/userguide/rules/fast-pattern.rst b/doc/userguide/rules/prefilter-keywords.rst similarity index 76% rename from doc/userguide/rules/fast-pattern.rst rename to doc/userguide/rules/prefilter-keywords.rst index c32b79844f..684e056bd8 100644 --- a/doc/userguide/rules/fast-pattern.rst +++ b/doc/userguide/rules/prefilter-keywords.rst @@ -1,6 +1,11 @@ -Fast Pattern -============ +===================== +Prefiltering Keywords +===================== + +.. _rules-keyword-fast_pattern: +fast_pattern +============ .. toctree:: fast-pattern-explained @@ -41,7 +46,7 @@ Fast-pattern can also be combined with all previous mentioned keywords, and all mentioned HTTP-modifiers. fast_pattern:only ------------------ +~~~~~~~~~~~~~~~~~ Sometimes a signature contains only one content. In that case it is not necessary Suricata will check it any further after a match has @@ -50,8 +55,8 @@ matches. Suricata notices this automatically. In some signatures this is still indicated with 'fast_pattern:only;'. Although Suricata does not need fast_pattern:only, it does support it. -Fast_pattern: 'chop' --------------------- +fast_pattern:'chop' +~~~~~~~~~~~~~~~~~~~~ If you do not want the MPM to use the whole content, you can use fast_pattern 'chop'. @@ -61,3 +66,16 @@ For example:: content: “aaaaaaaaabc”; fast_pattern:8,4; This way, MPM uses only the last four characters. + + +prefilter +========= +The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword. + +In the following rule the TTL test will be used in prefiltering instead of the single byte pattern: + +:: + + alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;) + +For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter` diff --git a/doc/userguide/rules/prefilter.rst b/doc/userguide/rules/prefilter.rst deleted file mode 100644 index 0d136abbf7..0000000000 --- a/doc/userguide/rules/prefilter.rst +++ /dev/null @@ -1,13 +0,0 @@ -Prefilter -========= - -The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword. - -In the following rule the TTL test will be used in prefiltering instead of the single byte pattern: - -:: - - alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;) - -For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter` -