From ee9637f5a724f38ae16eb220ebd1ed9d2617c92b Mon Sep 17 00:00:00 2001 From: jason taylor Date: Tue, 18 Jul 2023 21:17:31 +0000 Subject: [PATCH] doc: update fileext keyword information Signed-off-by: jason taylor --- doc/userguide/rules/file-keywords.rst | 34 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst index f33aba05d2..2d796bee73 100644 --- a/doc/userguide/rules/file-keywords.rst +++ b/doc/userguide/rules/file-keywords.rst @@ -19,17 +19,41 @@ Example:: filename:"secret"; fileext -------- +-------- -Matches on the extension of a file name. +``fileext`` is used to look at individual file extensions that are +seen in flows that Suricata evaluates. -Syntax:: +Example:: + + fileext:"pdf"; + +**Note:** ``fileext`` does not allow partial matches. For example, if +a PDF file (.pdf) is seen by a Suricata signature with +fileext:"pd"; the signature will not produce an alert. + +**Note:** ``fileext`` assumes ``nocase`` by default. This means +that a file with the extension .PDF will be seen the same as if +the file had an extension of .pdf. + +**Note:** ``fileext`` and ``file.name`` can both be used to match on +file extensions. In the example below the two signatures are +considered the same. + +Example:: + + fileext:"pdf"; + + file.name; content:".pdf"; nocase; endswith; - fileext:; +**Note**: While``fileeext`` and ``file.name`` can both be used +to match on file extensions, ``file.name`` allows for partial +matching on file extensions. The following would match on a file +with the extension of .pd as well as .pdf. Example:: - fileext:"jpg"; + file.name; content:".pd"; file.magic ---------- -- 2.47.2