Skip to content

Commit

Permalink
userguide: fix explanation about bsize ranges
Browse files Browse the repository at this point in the history
Our code handles Uint ranges as exclusive, but for bsize, our
documentation stated that they're inclusive.

Cf. from uint.rs:

    DetectUintMode::DetectUintModeRange => {
        if val > x.arg1 && val < x.arg2 {
            return true;
        }
    }

Task OISF#6708
  • Loading branch information
jufajardini authored and Corey Thomas committed Jan 30, 2024
1 parent 63bb294 commit b8d33f1
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion doc/userguide/rules/payload-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ bsize uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.

An optional operator can be specified; if no operator is present, the operator will
default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range),
the bsize value will be compared using the relational operator. Ranges are inclusive.
the bsize value will be compared using the relational operator. Ranges are exclusive.

If one or more ``content`` keywords precedes ``bsize``, each occurrence of ``content``
will be inspected and an error will be raised if the content length and the bsize
Expand Down Expand Up @@ -327,6 +327,9 @@ Examples of ``bsize`` in a rule:

alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"middle"; bsize:6<>15; sid:126; rev:1;)

To emphasize how range works: in the example above, a match will occur if
``bsize`` is greater than 6 and less than 15.

dsize
-----

Expand Down

0 comments on commit b8d33f1

Please sign in to comment.