Skip to content

Commit

Permalink
doc: add multi buffer support note to keyword docs
Browse files Browse the repository at this point in the history
Signed-off-by: jason taylor <[email protected]>
  • Loading branch information
jmtaylor90 authored and victorjulien committed Jul 13, 2023
1 parent 88960e9 commit c95fce3
Show file tree
Hide file tree
Showing 10 changed files with 49 additions and 15 deletions.
5 changes: 5 additions & 0 deletions doc/userguide/rules/dns-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,8 @@ DNS query on the wire (snippet)::
``dns.query`` buffer::

mail.google.com

Multiple Buffer Matching
~~~~~~~~~~~~~~~~~~~~~~~~

``dns.query`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
4 changes: 4 additions & 0 deletions doc/userguide/rules/file-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Example::

filename:"secret";

``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

fileext
-------

Expand Down Expand Up @@ -47,6 +49,8 @@ Example::
Note: as libmagic versions differ between installations, the returned
information may also slightly change. See also #437.

``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

filestore
---------

Expand Down
5 changes: 5 additions & 0 deletions doc/userguide/rules/http-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -839,3 +839,8 @@ Notes
pattern '<html' is absent from the first inspected chunk.

- ``file.data`` can also be used with SMTP

Multiple Buffer Matching
~~~~~~~~~~~~~~~~~~~~~~~~

``file.data`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
1 change: 1 addition & 0 deletions doc/userguide/rules/http2-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ Examples::

``http2.header_name`` can be used as ``fast_pattern``.

``http2.header_name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

Additional information
----------------------
Expand Down
2 changes: 2 additions & 0 deletions doc/userguide/rules/ike-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ Examples::

ike.vendor:4a131c81070358455c5728f20e95452f;

``ike.vendor`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.


ike.key_exchange_payload
------------------------
Expand Down
4 changes: 4 additions & 0 deletions doc/userguide/rules/kerberos-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ Signature example::

``krb5_cname`` can be used as ``fast_pattern``.

``krb5.cname`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

krb5_sname
----------

Expand All @@ -75,6 +77,8 @@ Signature example::

``krb5_sname`` can be used as ``fast_pattern``.

``krb5.sname`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

krb5_err_code
-------------

Expand Down
4 changes: 4 additions & 0 deletions doc/userguide/rules/mqtt-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,8 @@ Examples::

``mqtt.subscribe.topic`` is a 'sticky buffer' and can be used as ``fast_pattern``.

``mqtt.subscribe.topic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.


mqtt.unsubscribe.topic
----------------------
Expand All @@ -249,6 +251,8 @@ Examples::

``mqtt.unsubscribe.topic`` is a 'sticky buffer' and can be used as ``fast_pattern``.

``mqtt.unsubscribe.topic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.


Additional information
----------------------
Expand Down
31 changes: 16 additions & 15 deletions doc/userguide/rules/multi-buffer-matching.rst
Original file line number Diff line number Diff line change
Expand Up @@ -74,18 +74,19 @@ not be met.
Multiple buffer matching is currently enabled for use with the
following keywords:

``dns.query``
``file.data``
``file.magic``
``file.name``
``http2.header``
``http2.header_name``
``ike.vendor``
``krb5_cname``
``krb5_sname``
``mqtt.subscribe.topic``
``mqtt.unsubscribe.topic``
``quic.cyu.hash``
``quic.cyu.string``
``tls.certs``
``tls.cert_subject``
* ``dns.query``
* ``file.data``
* ``file.magic``
* ``file.name``
* ``http.request_header``
* ``http.response_header``
* ``http2.header_name``
* ``ike.vendor``
* ``krb5_cname``
* ``krb5_sname``
* ``mqtt.subscribe.topic``
* ``mqtt.unsubscribe.topic``
* ``quic.cyu.hash``
* ``quic.cyu.string``
* ``tls.certs``
* ``tls.cert_subject``
4 changes: 4 additions & 0 deletions doc/userguide/rules/quic-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Examples::
quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; \
sid:1;)

``quic.cyu.hash`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

quic.cyu.string
---------------

Expand All @@ -29,6 +31,8 @@ Examples::
quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; \
sid:2;)

``quic.cyu.string`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

quic.version
------------

Expand Down
4 changes: 4 additions & 0 deletions doc/userguide/rules/tls-keywords.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ Examples::

``tls.cert_subject`` can be used as ``fast_pattern``.

``tls.cert_subject`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

tls.subject
~~~~~~~~~~~

Expand Down Expand Up @@ -174,6 +176,8 @@ Example::

``tls.certs`` can be used as ``fast_pattern``.

``tls.certs`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

tls.version
-----------

Expand Down

0 comments on commit c95fce3

Please sign in to comment.