From: jason taylor <jtfas90@gmail.com>
Date: Tue, 3 Sep 2024 18:13:08 +0000 (-0400)
Subject: doc: add note about big endian for icmp_seq match
X-Git-Tag: suricata-8.0.0-beta1~877
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f46a8776ecc3f73c58d129b964f48d90727580a0;p=thirdparty%2Fsuricata.git

doc: add note about big endian for icmp_seq match
---

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index e28b14e283..a6837d73cf 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -711,6 +711,12 @@ Example of icmp_seq in a rule:
 
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
 
+.. note:: Some pcap analysis tools, like wireshark, may give both a little
+  endian and big endian value for ``icmp_seq``. The ``icmp_seq`` keyword
+  matches on the big endian value, this is due to Suricata using the network
+  byte order (big endian) to perform the match comparison.
+
+
 icmpv4.hdr
 ^^^^^^^^^^