New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add multi buffer matching documentation v2 #9161
Conversation
Signed-off-by: jason taylor <jtfas90@gmail.com>
Signed-off-by: jason taylor <jtfas90@gmail.com>
|
||
.. container:: example-rule | ||
|
||
`alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"DNS Multiple Question Example Rule"; dns.query; content:"example"; dns.query; content:".com"; sid:1;)` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @jmtaylor90
Would you also add an example with
dns.query; content:"example"; content:".com";
?
And say that these will match on the same dns query buffer (or a better wording)
(maybe this is better illustrated with http2.header)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I will add and look at the explanation again today. I went back and forth a bit on which example to use for a signature, I started with using a variation of the signature from your suricata-verify test for the http2 multi buffer but I wasn't sure if the concept remained clear throughout the explanation of the behavior changes.
Thanks for the review/comments.
continued in #9174 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doc changes and explanation look good to me, taking into account adjusting as asked by Philippe :)
In that regard, since this is a new concept, I think that it could be helpful to have more than one example, and maybe highlight the difference in behavior a bit more?
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6032
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/N
whereN
is thepull request number.
Alternatively,
SV_BRANCH
may also be a link to anOISF/suricata-verify pull-request.