From 192a31c74eb66aa3b17106ac1bcd112b13529c6e Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Tue, 2 Aug 2022 11:11:27 -0400 Subject: [PATCH] doc: Fixup byte* entries to display tables properly --- doc/userguide/rules/payload-keywords.rst | 67 +++++++++++++----------- 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 200d41cda6..e0c0aef2f3 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -371,7 +371,7 @@ Format:: | | - dec - Converted string represented in decimal | | | - oct - Converted string represented in octal | +----------------+------------------------------------------------------------------------------+ -| [dce] | Allow the DCE module determine the byte order | +| [dce] | Allow the DCE module to determine the byte order | +----------------+------------------------------------------------------------------------------+ | [bitmask] | Applies the AND operator on the bytes converted | +----------------+------------------------------------------------------------------------------+ @@ -414,49 +414,53 @@ When ``relative`` is included, there must be a previous ``content`` or ``pcre`` The result can be stored in a result variable and referenced by other rule options later in the rule. + ============== ================================== - Keyword Modifier + Keyword Modifier ============== ================================== - content offset,depth,distance,within - byte_test offset,value - byte_jump offset - isdataat offset + content offset,depth,distance,within + byte_test offset,value + byte_jump offset + isdataat offset ============== ================================== Format:: byte_math:bytes , offset , oper , rvalue , \ - result [, relative] [, endian ] [, string ] \ - [, dce] [, bitmask ]; + result [, relative] [, endian ] [, string ] \ + [, dce] [, bitmask ]; + +-----------------------+-----------------------------------------------------------------------+ -| | The number of bytes selected from the packet | +| | The number of bytes selected from the packet | +-----------------------+-----------------------------------------------------------------------+ -| | Number of bytes into the payload | +| | Number of bytes into the payload | +-----------------------+-----------------------------------------------------------------------+ -| oper | Mathematical operation to perform: +, -, \*, /, <<, >> | +| oper | Mathematical operation to perform: +, -, \*, /, <<, >> | +-----------------------+-----------------------------------------------------------------------+ -| rvalue | Value to perform the math operation with | +| rvalue | Value to perform the math operation with | +-----------------------+-----------------------------------------------------------------------+ -| result | Where to store the computed value | +| result | Where to store the computed value | +-----------------------+-----------------------------------------------------------------------+ -| [relative] | Offset relative to last content match | +| [relative] | Offset relative to last content match | +-----------------------+-----------------------------------------------------------------------+ -| [endian ] | - big (Most significant byte at lowest address) | -| | - little (Most significant byte at the highest address) | +| [endian ] | - big (Most significant byte at lowest address) | +| | - little (Most significant byte at the highest address) | +| | - dce (Allow the DCE module to determine the byte order) | +-----------------------+-----------------------------------------------------------------------+ -| [string ] | | -| | - hex Converted data is represented in hex | -| | - dec Converted data is represented in decimal | -| | - oct Converted data is represented as octal | +| [string ] | | +| | - hex Converted data is represented in hex | +| | - dec Converted data is represented in decimal | +| | - oct Converted data is represented as octal | +-----------------------+-----------------------------------------------------------------------+ -| [dce] | Allow the DCE module determine the byte order | +| [dce] | Allow the DCE module to determine the byte order | +-----------------------+-----------------------------------------------------------------------+ -| [bitmask] | The AND operator will be applied to the extracted value | -| | The result will be right shifted by the number of bits equal to the | -| | number of trailing zeros in the mask | +| [bitmask] | The AND operator will be applied to the extracted value | +| | The result will be right shifted by the number of bits equal to the | +| | number of trailing zeros in the mask | +-----------------------+-----------------------------------------------------------------------+ + Example:: alert tcp any any -> any any \ @@ -481,11 +485,13 @@ The ``byte_jump`` keyword allows for the ability to select a ```` Format:: byte_jump:, [, relative][, multiplier ] \ - [, ][, string, ][, align][, from_beginning][, from_end] \ + [, ][, string, ][, align][, from_beginning][, from_end] \ [, post_offset ][, dce][, bitmask ]; + + +-----------------------+-----------------------------------------------------------------------+ -| | The number of bytes selected from the packet to be converted | +| | The number of bytes selected from the packet to be converted | +-----------------------+-----------------------------------------------------------------------+ | | Number of bytes into the payload | +-----------------------+-----------------------------------------------------------------------+ @@ -512,12 +518,13 @@ Format:: | [post_offset] | After the jump operation has been performed, it will | | | jump an additional number of bytes specified by | +-----------------------+-----------------------------------------------------------------------+ -| [dce] | Allow the DCE module determine the byte order | +| [dce] | Allow the DCE module to determine the byte order | +-----------------------+-----------------------------------------------------------------------+ | [bitmask] | The AND operator will be applied by and the | | | converted bytes, then jump operation is performed | +-----------------------+-----------------------------------------------------------------------+ + Example:: alert tcp any any -> any any \ @@ -565,10 +572,10 @@ Format:: | | - dec - Converted string represented in decimal | | | - oct - Converted string represented in octal | +--------------------+--------------------------------------------------------------------------+ -| [dce] | Allow the DCE module determine the byte order | +| [dce] | Allow the DCE module to determine the byte order | +--------------------+--------------------------------------------------------------------------+ -| align | Round the extracted value up to the next | -| | next byte boundary post-multiplication (if any) | +| align | Round the extracted value up to the next | +| | byte boundary post-multiplication (if any) | | | ; may be 2 or 4 | +--------------------+--------------------------------------------------------------------------+ -- 2.47.2