4. Suricata Rules

• 4.1. Rules Format
  • 4.1.1. Action
  • 4.1.2. Protocol
  • 4.1.3. Source and destination
  • 4.1.4. Ports (source and destination)
  • 4.1.5. Direction
  • 4.1.6. Rule options
    • 4.1.6.1. Modifier Keywords
    • 4.1.6.2. Normalized Buffers
• 4.2. Meta Keywords
  • 4.2.1. msg (message)
  • 4.2.2. sid (signature ID)
  • 4.2.3. rev (revision)
  • 4.2.4. gid (group ID)
  • 4.2.5. classtype
  • 4.2.6. reference
  • 4.2.7. priority
  • 4.2.8. metadata
  • 4.2.9. target
• 4.3. IP Keywords
  • 4.3.1. ttl
  • 4.3.2. ipopts
  • 4.3.3. sameip
  • 4.3.4. ip_proto
  • 4.3.5. id
  • 4.3.6. geoip
  • 4.3.7. fragbits (IP fragmentation)
  • 4.3.8. fragoffset
• 4.4. TCP keywords
  • 4.4.1. seq
  • 4.4.2. ack
  • 4.4.3. window
• 4.5. ICMP keywords
  • 4.5.1. itype
  • 4.5.2. icode
  • 4.5.3. icmp_id
  • 4.5.4. icmp_seq
• 4.6. Payload Keywords
  • 4.6.1. content
  • 4.6.2. nocase
  • 4.6.3. depth
  • 4.6.4. startswith
  • 4.6.5. offset
  • 4.6.6. distance
  • 4.6.7. within
  • 4.6.8. isdataat
  • 4.6.9. dsize
  • 4.6.10. rpc
  • 4.6.11. replace
  • 4.6.12. pcre (Perl Compatible Regular Expressions)
    • 4.6.12.1. Suricata’s modifiers
• 4.7. Prefiltering Keywords
  • 4.7.1. fast_pattern
    • 4.7.1.1. Suricata Fast Pattern Determination Explained
      • 4.7.1.1.1. Appendices
        • 4.7.1.1.1.1. Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4
        • 4.7.1.1.1.2. Appendix B - Buffers, list_id values, Priorities, and Registration Order for Suricata 2.0.7
        • 4.7.1.1.1.3. Appendix C - Pattern Strength Algorithm
    • 4.7.1.2. fast_pattern:only
    • 4.7.1.3. fast_pattern:’chop’
  • 4.7.2. prefilter
• 4.8. Flow Keywords
  • 4.8.1. flowbits
  • 4.8.2. flow
  • 4.8.3. flowint
  • 4.8.4. stream_size
• 4.9. HTTP Keywords
  • 4.9.1. HTTP Primer
  • 4.9.2. http_method
  • 4.9.3. http_uri and http_raw_uri
  • 4.9.4. uricontent
  • 4.9.5. urilen
  • 4.9.6. http_protocol
  • 4.9.7. http_request_line
  • 4.9.8. http_header and http_raw_header
  • 4.9.9. http_cookie
  • 4.9.10. http_user_agent
    • 4.9.10.1. Notes
  • 4.9.11. http_accept
  • 4.9.12. http_accept_enc
  • 4.9.13. http_accept_lang
  • 4.9.14. http_connection
  • 4.9.15. http_content_type
  • 4.9.16. http_content_len
  • 4.9.17. http_referer
  • 4.9.18. http_start
  • 4.9.19. http_header_names
  • 4.9.20. http_client_body
  • 4.9.21. http_stat_code
  • 4.9.22. http_stat_msg
  • 4.9.23. http_response_line
  • 4.9.24. http_server_body
    • 4.9.24.1. Notes
  • 4.9.25. http_host and http_raw_host
    • 4.9.25.1. Notes
  • 4.9.26. file_data
    • 4.9.26.1. Notes
• 4.10. File Keywords
  • 4.10.1. filename
  • 4.10.2. fileext
  • 4.10.3. filemagic
  • 4.10.4. filestore
  • 4.10.5. filemd5
  • 4.10.6. filesha1
  • 4.10.7. filesha256
  • 4.10.8. filesize
• 4.11. DNS Keywords
  • 4.11.1. dns_query
    • 4.11.1.1. Normalized Buffer
• 4.12. SSL/TLS Keywords
  • 4.12.1. tls_cert_subject
  • 4.12.2. tls_cert_issuer
  • 4.12.3. tls_cert_serial
  • 4.12.4. tls_cert_fingerprint
  • 4.12.5. tls_sni
  • 4.12.6. tls_cert_notbefore
  • 4.12.7. tls_cert_notafter
  • 4.12.8. tls_cert_expired
  • 4.12.9. tls_cert_valid
  • 4.12.10. tls.version
  • 4.12.11. tls.subject
  • 4.12.12. tls.issuerdn
  • 4.12.13. tls.fingerprint
  • 4.12.14. tls.store
  • 4.12.15. ssl_state
• 4.13. JA3 Keywords
  • 4.13.1. ja3_hash
  • 4.13.2. ja3_string
• 4.14. Modbus Keyword
• 4.15. DNP3 Keywords
  • 4.15.1. dnp3_func
    • 4.15.1.1. Syntax
  • 4.15.2. dnp3_ind
    • 4.15.2.1. Syntax
    • 4.15.2.2. Examples
  • 4.15.3. dnp3_obj
    • 4.15.3.1. Syntax
  • 4.15.4. dnp3_data
    • 4.15.4.1. Syntax
    • 4.15.4.2. Example
• 4.16. ENIP/CIP Keywords
• 4.17. FTP/FTP-DATA Keywords
  • 4.17.1. ftpdata_command
  • 4.17.2. ftpbounce
• 4.18. Generic App Layer Keywords
  • 4.18.1. app-layer-protocol
    • 4.18.1.1. Bail out conditions
  • 4.18.2. app-layer-event
    • 4.18.2.1. Protocol Detection
      • 4.18.2.1.1. applayer_mismatch_protocol_both_directions
      • 4.18.2.1.2. applayer_wrong_direction_first_data
      • 4.18.2.1.3. applayer_detect_protocol_only_one_direction
      • 4.18.2.1.4. applayer_proto_detection_skipped
• 4.19. Xbits Keyword
  • 4.19.1. Notes
    • 4.19.1.1. YAML settings
    • 4.19.1.2. Threading
    • 4.19.1.3. Unix Socket
    • 4.19.1.4. Examples
      • 4.19.1.4.1. Creating a SSH blacklist
• 4.20. Thresholding Keywords
  • 4.20.1. threshold
    • 4.20.1.1. type “threshold”
    • 4.20.1.2. type “limit”
    • 4.20.1.3. type “both”
  • 4.20.2. detection_filter
• 4.21. IP Reputation Keyword
  • 4.21.1. iprep
    • 4.21.1.1. IP-only
• 4.22. Lua Scripting
  • 4.22.1. Init function
  • 4.22.2. Match function
• 4.23. Differences From Snort
  • 4.23.1. Automatic Protocol Detection
  • 4.23.2. urilen Keyword
  • 4.23.3. http_uri Buffer
  • 4.23.4. http_header Buffer
  • 4.23.5. http_cookie Buffer
  • 4.23.6. New HTTP keywords
  • 4.23.7. byte_extract Keyword
  • 4.23.8. isdataat Keyword
  • 4.23.9. Relative PCRE
  • 4.23.10. tls* Keywords
  • 4.23.11. dns_query Keyword
  • 4.23.12. IP Reputation and iprep Keyword
  • 4.23.13. Flowbits
  • 4.23.14. flowbits:noalert;
  • 4.23.15. Negated Content Match Special Case
  • 4.23.16. File Extraction
  • 4.23.17. Lua Scripting
  • 4.23.18. Fast Pattern
  • 4.23.19. Don’t Cross The Streams
  • 4.23.20. Alerts
  • 4.23.21. Buffer Reference Chart