From: Eric Leblond <el@stamus-networks.com>
Date: Sun, 10 Jul 2022 17:05:18 +0000 (+0200)
Subject: doc: add ip.dst and ip.src doc
X-Git-Tag: suricata-7.0.0-rc1~462
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da8b16eaeb44f156bfb29c4994b00f880bf19933;p=thirdparty%2Fsuricata.git

doc: add ip.dst and ip.src doc
---

diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst
index b83bee336d..68a7e3f7ae 100644
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -37,6 +37,7 @@ Suricata Rules
    xbits
    thresholding
    ip-reputation-rules
+   ipaddr
    config
    datasets
    lua-detection
diff --git a/doc/userguide/rules/ipaddr.rst b/doc/userguide/rules/ipaddr.rst
new file mode 100644
index 0000000000..a42657f326
--- /dev/null
+++ b/doc/userguide/rules/ipaddr.rst
@@ -0,0 +1,29 @@
+IP Addresses Match
+==================
+
+Matching on IP addresses can be done via the IP tuple parameters or via the iprep keywords (see :doc:`/rules/ip-reputation-rules`).
+Some keywords providing interaction with datasets are also available.
+
+ip.src
+------
+
+The `ip.src` keyword is a sticky buffer to match on source IP address. It matches on the binary representation
+and is compatible with datasets of types `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound bad list"; flow:to_server; ip.src; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)
+
+ip.dst
+------
+
+The `ip.dst` keyword is a sticky buffer to match on destination IP address. It matches on the binary representation
+and is compatible with the dataset of type `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $HOME_NET any -> any any (msg:"Outbound bad list"; flow:to_server; ip.dst; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)