From: jason taylor Date: Mon, 25 Jul 2022 23:22:00 +0000 (+0000) Subject: doc: add bsize keyword examples X-Git-Tag: suricata-7.0.0-beta1~360 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca9e9009ba05aa7882c7e691a89f8c0f8792a4b2;p=thirdparty%2Fsuricata.git doc: add bsize keyword examples Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 422ea44c8b..13dfde95cc 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -273,17 +273,28 @@ You can also use the negation (!) before isdataat. bsize ----- -With the bsize keyword, you can match on the length of the buffer. This adds precision to the content match, previously this could have been done with isdataat. +With the bsize keyword, you can match on the length of a buffer. This adds precision to the content match, previously this could have been done with isdataat. Format:: bsize:; -Example of bsize in a rule: +Examples of bsize values: .. container:: example-rule - alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"google.com"; bsize:10; sid:123; rev:1;) + alert dns any any -> any any (msg:"bsize exact buffer size"; dns.query; content:"google.com"; bsize:10; sid:1; rev:1;) + + alert dns any any -> any any (msg:"bsize less than value"; dns.query; content:"google.com"; bsize:<25; sid:2; rev:1;) + + alert dns any any -> any any (msg:"bsize buffer less than or equal value"; dns.query; content:"google.com"; bsize:<=20; sid:3; rev:1;) + + alert dns any any -> any any (msg:"bsize buffer greater than value"; dns.query; content:"google.com"; bsize:>8; sid:4; rev:1;) + + alert dns any any -> any any (msg:"bsize buffer greater than or equal value"; dns.query; content:"google.com"; bsize:>=8; sid:5; rev:1;) + + alert dns any any -> any any (msg:"bsize buffer range value"; dns.query; content:"google.com"; bsize:8<>20; sid:6; rev:1;) + dsize -----