doc: add bsize documentation and rule example

author jason taylor <jtfas90@gmail.com>

Wed, 18 Dec 2019 14:59:23 +0000 (09:59 -0500)

committer Victor Julien <victor@inliniac.net>

Fri, 20 Dec 2019 12:57:53 +0000 (13:57 +0100)
author jason taylor <jtfas90@gmail.com>
Wed, 18 Dec 2019 14:59:23 +0000 (09:59 -0500)
committer Victor Julien <victor@inliniac.net>
Fri, 20 Dec 2019 12:57:53 +0000 (13:57 +0100)
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index 4cdf124d4488226f477512d7afcfa71d244c7fcf..f071c76d8183e0c27e24c0ef6ad109b321ff638e 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -264,6 +264,21 @@ You can also use the negation (!) before isdataat.
  
  .. image:: payload-keywords/isdataat1.png
  
+bsize
+-----
+
+With the bsize keyword, you can match on the length of the buffer. This adds precision to the content match, previously this could have been done with isdataat.
+
+Format::
+
+  bsize:<number>;
+
+Example of bsize in a rule:
+
+.. container:: example-rule
+
+   alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"google.com"; bsize:10; sid:123; rev:1;)
+
  dsize
  -----
author	jason taylor <jtfas90@gmail.com>
	Wed, 18 Dec 2019 14:59:23 +0000 (09:59 -0500)
committer	Victor Julien <victor@inliniac.net>
	Fri, 20 Dec 2019 12:57:53 +0000 (13:57 +0100)