7. Suricata Rules
- 7.1. Rules Format
- 7.2. Meta Keywords
- 7.3. IP Keywords
- 7.4. TCP keywords
- 7.5. UDP keywords
- 7.6. ICMP keywords
- 7.7. Payload Keywords
- 7.7.1. content
- 7.7.2. nocase
- 7.7.3. depth
- 7.7.4. startswith
- 7.7.5. endswith
- 7.7.6. offset
- 7.7.7. distance
- 7.7.8. within
- 7.7.9. isdataat
- 7.7.10. bsize
- 7.7.11. dsize
- 7.7.12. byte_test
- 7.7.13. byte_math
- 7.7.14. byte_jump
- 7.7.15. byte_extract
- 7.7.16. rpc
- 7.7.17. replace
- 7.7.18. pcre (Perl Compatible Regular Expressions)
- 7.8. Transformations
- 7.9. Prefiltering Keywords
- 7.10. Flow Keywords
- 7.11. Bypass Keyword
- 7.12. HTTP Keywords
- 7.12.1. HTTP Primer
- 7.12.2. http.method
- 7.12.3. http.uri and http.uri.raw
- 7.12.4. uricontent
- 7.12.5. urilen
- 7.12.6. http.protocol
- 7.12.7. http.request_line
- 7.12.8. http.header and http.header.raw
- 7.12.9. http.cookie
- 7.12.10. http.user_agent
- 7.12.11. http.accept
- 7.12.12. http.accept_enc
- 7.12.13. http.accept_lang
- 7.12.14. http.connection
- 7.12.15. http.content_type
- 7.12.16. http.content_len
- 7.12.17. http.referer
- 7.12.18. http.start
- 7.12.19. http.header_names
- 7.12.20. http.request_body
- 7.12.21. http.stat_code
- 7.12.22. http.stat_msg
- 7.12.23. http.response_line
- 7.12.24. http.response_body
- 7.12.25. http.server
- 7.12.26. http.location
- 7.12.27. http.host and http.host.raw
- 7.12.28. file_data
- 7.13. File Keywords
- 7.14. DNS Keywords
- 7.15. SSL/TLS Keywords
- 7.15.1. tls.cert_subject
- 7.15.2. tls.cert_issuer
- 7.15.3. tls.cert_serial
- 7.15.4. tls.cert_fingerprint
- 7.15.5. tls.sni
- 7.15.6. tls_cert_notbefore
- 7.15.7. tls_cert_notafter
- 7.15.8. tls_cert_expired
- 7.15.9. tls_cert_valid
- 7.15.10. tls.certs
- 7.15.11. tls.version
- 7.15.12. ssl_version
- 7.15.13. tls.subject
- 7.15.14. tls.issuerdn
- 7.15.15. tls.fingerprint
- 7.15.16. tls.store
- 7.15.17. ssl_state
- 7.16. SSH Keywords
- 7.17. JA3 Keywords
- 7.18. Modbus Keyword
- 7.19. DNP3 Keywords
- 7.20. ENIP/CIP Keywords
- 7.21. FTP/FTP-DATA Keywords
- 7.22. Kerberos Keywords
- 7.23. SNMP keywords
- 7.24. Base64 keywords
- 7.25. SIP Keywords
- 7.26. RFB Keywords
- 7.27. MQTT Keywords
- 7.27.1. mqtt.protocol_version
- 7.27.2. mqtt.type
- 7.27.3. mqtt.flags
- 7.27.4. mqtt.qos
- 7.27.5. mqtt.reason_code
- 7.27.6. mqtt.connack.session_present
- 7.27.7. mqtt.connect.clientid
- 7.27.8. mqtt.connect.flags
- 7.27.9. mqtt.connect.password
- 7.27.10. mqtt.connect.username
- 7.27.11. mqtt.connect.willmessage
- 7.27.12. mqtt.connect.willtopic
- 7.27.13. mqtt.publish.message
- 7.27.14. mqtt.publish.topic
- 7.27.15. mqtt.subscribe.topic
- 7.27.16. mqtt.unsubscribe.topic
- 7.27.17. Additional information
- 7.28. HTTP2 Keywords
- 7.29. Generic App Layer Keywords
- 7.30. Xbits Keyword
- 7.31. Thresholding Keywords
- 7.32. IP Reputation Keyword
- 7.33. Config Rules
- 7.34. Datasets
- 7.35. Lua Scripting
- 7.36. Differences From Snort
- 7.36.1. Automatic Protocol Detection
- 7.36.2.
urilen
Keyword - 7.36.3.
http_uri
Buffer - 7.36.4.
http_header
Buffer - 7.36.5.
http_cookie
Buffer - 7.36.6. New HTTP keywords
- 7.36.7.
byte_extract
Keyword - 7.36.8.
byte_math
Keyword - 7.36.9.
isdataat
Keyword - 7.36.10. Relative PCRE
- 7.36.11.
tls*
Keywords - 7.36.12.
dns_query
Keyword - 7.36.13. IP Reputation and
iprep
Keyword - 7.36.14. Flowbits
- 7.36.15. flowbits:noalert;
- 7.36.16. Negated Content Match Special Case
- 7.36.17. File Extraction
- 7.36.18. Lua Scripting
- 7.36.19. Fast Pattern
- 7.36.20. Don't Cross The Streams
- 7.36.21. Alerts
- 7.36.22. Buffer Reference Chart