From: Travis Green Date: Thu, 20 Dec 2018 00:45:11 +0000 (-0700) Subject: doc: added tos keyword X-Git-Tag: suricata-4.1.2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2adb9e6697a19718b285dc9a771aa51b07b7a87;p=thirdparty%2Fsuricata.git doc: added tos keyword Redmine issue: https://redmine.openinfosecfoundation.org/issues/2583 --- diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst index 2699852743..f39b3005eb 100644 --- a/doc/userguide/rules/header-keywords.rst +++ b/doc/userguide/rules/header-keywords.rst @@ -221,6 +221,32 @@ Example of fragoffset in a rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: M; :example-rule-emphasis:`fragoffset: >0;` reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) +tos +^^^ + +The tos keyword can match on specific decimal values of the IP header TOS +field. The tos keyword can be have a value from 0 - 255. This field of the +IP header has been updated by `rfc2474 `_ +to include functionality for +`Differentiated services `_. + +Format of tos:: + + tos:[!]; + +Example of tos in a rule: + +.. container:: example-rule + + alert ip any any -> any any (msg:"Differentiated Services Codepoint: Class Selector 1 (8)"; flow:established; :example-rule-emphasis:`tos:8;` classtype:not-suspicious; sid:2600115; rev:1;) + +Example of tos with negated values: + +.. container:: example-rule + + alert ip any any -> any any (msg:"TGI HUNT non-DiffServ aware TOS setting"; flow:established,to_server; :example-rule-emphasis:`tos:!0; tos:!8; tos:!16; tos:!24; tos:!32; tos:!40; tos:!48; tos:!56;` threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2600124; rev:1;) + + TCP keywords ------------ diff --git a/src/detect-tos.c b/src/detect-tos.c index 609ff8c866..c6ccb9bd10 100644 --- a/src/detect-tos.c +++ b/src/detect-tos.c @@ -69,6 +69,8 @@ void DetectTosRegister(void) sigmatch_table[DETECT_TOS].RegisterTests = DetectTosRegisterTests; sigmatch_table[DETECT_TOS].flags = (SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION); + sigmatch_table[DETECT_TOS].url = + DOC_URL DOC_VERSION "/rules/header-keywords.html#tos"; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }