From: jason taylor Date: Wed, 24 Aug 2022 12:22:02 +0000 (+0000) Subject: userguide: update dsize documentation/examples X-Git-Tag: suricata-7.0.0-beta1~281 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c29942c029ba547353f86c8c43f567ce75a346f9;p=thirdparty%2Fsuricata.git userguide: update dsize documentation/examples Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 13dfde95cc..200d41cda6 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -295,29 +295,42 @@ Examples of bsize values: alert dns any any -> any any (msg:"bsize buffer range value"; dns.query; content:"google.com"; bsize:8<>20; sid:6; rev:1;) - dsize ----- With the dsize keyword, you can match on the size of the packet -payload. You can use the keyword for example to look for abnormal +payload/data. You can use the keyword for example to look for abnormal sizes of payloads which are equal to some n i.e. 'dsize:n' not equal 'dsize:!n' less than 'dsize:n' This may be convenient in detecting buffer overflows. +dsize cannot be used when using app/streamlayer protocol keywords (i.e. http.uri) + Format:: dsize:[<>!]number; || dsize:min<>max; -Example of dsize in a rule: +Examples of dsize values: .. container:: example-rule - alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) - alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"Example Negation"; :example-rule-emphasis:`dsize:!10;` sid:123; rev:1;) + alert tcp any any -> any any (msg:"dsize exact size"; dsize:10; sid:1; rev:1;) + + alert tcp any any -> any any (msg:"dsize less than value"; dsize:<10; sid:2; rev:1;) + + alert tcp any any -> any any (msg:"dsize less than or equal value"; dsize:<=10; sid:3; rev:1;) + + alert tcp any any -> any any (msg:"dsize greater than value"; dsize:>8; sid:4; rev:1;) + + alert tcp any any -> any any (msg:"dsize greater than or equal value"; dsize:>=10; sid:5; rev:1;) + + alert tcp any any -> any any (msg:"dsize range value"; dsize:8<>20; sid:6; rev:1;) + + alert tcp any any -> any any (msg:"dsize not equal value"; dsize:!9; sid:7; rev:1;) byte_test --------- + The ``byte_test`` keyword extracts ```` and performs an operation selected with ```` against the value in ```` at a particular ````. The ```` is applied to the extracted bytes (before the operator is applied),