From: Eric Leblond <eric@regit.org>
Date: Tue, 6 Jun 2017 16:35:48 +0000 (+0200)
Subject: doc: document target keyword
X-Git-Tag: suricata-4.0.0-rc1~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5ad6a209527ba6df554f6c3334f2392afcaed04;p=thirdparty%2Fsuricata.git

doc: document target keyword
---

diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index 7132f2dff6..15edb28616 100644
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -179,3 +179,20 @@ keyword because it is part of the signature language.  The format is:
 ::
 
   metadata:......;
+
+Target
+------
+
+The target keyword allows the rules writer to specify which side of the
+alert is the target of the attack. If specified, the alert event is enhanced
+to contain information about source and target.
+
+The format is:
+
+::
+
+ target: [src_ip|dest_ip]
+
+If the value is src_ip then the source IP in the generated event (src_ip
+field in JSON) is the target of the attack. If target is set to dest_ip
+then the target is the destination IP in the generated event.