6. Suricata Rules

• 6.1. Rules Format
  • 6.1.1. Action
  • 6.1.2. Protocol
  • 6.1.3. Source and destination
  • 6.1.4. Ports (source and destination)
  • 6.1.5. Direction
  • 6.1.6. Rule options
    • 6.1.6.1. Modifier Keywords
    • 6.1.6.2. Normalized Buffers
• 6.2. Meta Keywords
  • 6.2.1. msg (message)
  • 6.2.2. sid (signature ID)
  • 6.2.3. rev (revision)
  • 6.2.4. gid (group ID)
  • 6.2.5. classtype
  • 6.2.6. reference
  • 6.2.7. priority
  • 6.2.8. metadata
  • 6.2.9. target
• 6.3. IP Keywords
  • 6.3.1. ttl
  • 6.3.2. ipopts
  • 6.3.3. sameip
  • 6.3.4. ip_proto
  • 6.3.5. ipv4.hdr
  • 6.3.6. ipv6.hdr
  • 6.3.7. id
  • 6.3.8. geoip
  • 6.3.9. fragbits (IP fragmentation)
  • 6.3.10. fragoffset
  • 6.3.11. tos
• 6.4. TCP keywords
  • 6.4.1. seq
  • 6.4.2. ack
  • 6.4.3. window
  • 6.4.4. tcp.mss
  • 6.4.5. tcp.hdr
• 6.5. UDP keywords
  • 6.5.1. udp.hdr
• 6.6. ICMP keywords
  • 6.6.1. itype
  • 6.6.2. icode
  • 6.6.3. icmp_id
  • 6.6.4. icmp_seq
  • 6.6.5. icmpv4.hdr
  • 6.6.6. icmpv6.hdr
  • 6.6.7. icmpv6.mtu
• 6.7. Payload Keywords
  • 6.7.1. content
  • 6.7.2. nocase
  • 6.7.3. depth
  • 6.7.4. startswith
  • 6.7.5. endswith
  • 6.7.6. offset
  • 6.7.7. distance
  • 6.7.8. within
  • 6.7.9. rawbytes
  • 6.7.10. isdataat
  • 6.7.11. bsize
  • 6.7.12. dsize
  • 6.7.13. byte_test
  • 6.7.14. byte_math
  • 6.7.15. byte_jump
  • 6.7.16. byte_extract
  • 6.7.17. rpc
  • 6.7.18. replace
  • 6.7.19. pcre (Perl Compatible Regular Expressions)
    • 6.7.19.1. Suricata’s modifiers
• 6.8. Changes from PCRE1 to PCRE2
• 6.9. Transformations
  • 6.9.1. dotprefix
  • 6.9.2. strip_whitespace
  • 6.9.3. compress_whitespace
  • 6.9.4. to_md5
  • 6.9.5. to_sha1
  • 6.9.6. to_sha256
  • 6.9.7. pcrexform
  • 6.9.8. url_decode
  • 6.9.9. xor
• 6.10. Prefiltering Keywords
  • 6.10.1. fast_pattern
    • 6.10.1.1. Suricata Fast Pattern Determination Explained
      • 6.10.1.1.1. Appendices
        • 6.10.1.1.1.1. Appendix A - Buffers, list_id values, and Registration Order for Suricata 1.3.4
        • 6.10.1.1.1.2. Appendix B - Buffers, list_id values, Priorities, and Registration Order for Suricata 2.0.7
        • 6.10.1.1.1.3. Appendix C - Pattern Strength Algorithm
    • 6.10.1.2. fast_pattern:only
    • 6.10.1.3. fast_pattern:’chop’
  • 6.10.2. prefilter
• 6.11. Flow Keywords
  • 6.11.1. flowbits
  • 6.11.2. flow
  • 6.11.3. flowint
  • 6.11.4. stream_size
• 6.12. Bypass Keyword
  • 6.12.1. bypass
• 6.13. HTTP Keywords
  • 6.13.1. HTTP Primer
  • 6.13.2. http.method
  • 6.13.3. http.uri and http.uri.raw
  • 6.13.4. uricontent
  • 6.13.5. urilen
  • 6.13.6. http.protocol
  • 6.13.7. http.request_line
  • 6.13.8. http.header and http.header.raw
  • 6.13.9. http.cookie
  • 6.13.10. http.user_agent
    • 6.13.10.1. Notes
  • 6.13.11. http.accept
  • 6.13.12. http.accept_enc
  • 6.13.13. http.accept_lang
  • 6.13.14. http.connection
  • 6.13.15. http.content_type
  • 6.13.16. http.content_len
  • 6.13.17. http.referer
  • 6.13.18. http.start
  • 6.13.19. http.header_names
  • 6.13.20. http.request_body
  • 6.13.21. http.stat_code
  • 6.13.22. http.stat_msg
  • 6.13.23. http.response_line
  • 6.13.24. http.response_body
    • 6.13.24.1. Notes
  • 6.13.25. http.server
  • 6.13.26. http.location
  • 6.13.27. http.host and http.host.raw
    • 6.13.27.1. Notes
  • 6.13.28. file_data
    • 6.13.28.1. Notes
• 6.14. File Keywords
  • 6.14.1. filename
  • 6.14.2. fileext
  • 6.14.3. filemagic
  • 6.14.4. filestore
  • 6.14.5. filemd5
  • 6.14.6. filesha1
  • 6.14.7. filesha256
  • 6.14.8. filesize
• 6.15. DNS Keywords
  • 6.15.1. dns.opcode
    • 6.15.1.1. Syntax
    • 6.15.1.2. Examples
  • 6.15.2. dns.query
    • 6.15.2.1. Normalized Buffer
• 6.16. SSL/TLS Keywords
  • 6.16.1. tls.cert_subject
  • 6.16.2. tls.cert_issuer
  • 6.16.3. tls.cert_serial
  • 6.16.4. tls.cert_fingerprint
  • 6.16.5. tls.sni
  • 6.16.6. tls_cert_notbefore
  • 6.16.7. tls_cert_notafter
  • 6.16.8. tls_cert_expired
  • 6.16.9. tls_cert_valid
  • 6.16.10. tls.certs
  • 6.16.11. tls.version
  • 6.16.12. ssl_version
  • 6.16.13. tls.subject
  • 6.16.14. tls.issuerdn
  • 6.16.15. tls.fingerprint
  • 6.16.16. tls.store
  • 6.16.17. ssl_state
• 6.17. SSH Keywords
  • 6.17.1. ssh.proto
  • 6.17.2. ssh.software
  • 6.17.3. ssh.protoversion
  • 6.17.4. ssh.softwareversion
  • 6.17.5. ssh.hassh
  • 6.17.6. ssh.hassh.string
  • 6.17.7. ssh.hassh.server
  • 6.17.8. ssh.hassh.server.string
• 6.18. JA3 Keywords
  • 6.18.1. ja3.hash
  • 6.18.2. ja3.string
  • 6.18.3. ja3s.hash
  • 6.18.4. ja3s.string
• 6.19. Modbus Keyword
• 6.20. DCERPC Keywords
  • 6.20.1. dcerpc.iface
  • 6.20.2. dcerpc.opnum
  • 6.20.3. dcerpc.stub_data
  • 6.20.4. Additional information
• 6.21. DNP3 Keywords
  • 6.21.1. dnp3_func
    • 6.21.1.1. Syntax
  • 6.21.2. dnp3_ind
    • 6.21.2.1. Syntax
    • 6.21.2.2. Examples
  • 6.21.3. dnp3_obj
    • 6.21.3.1. Syntax
  • 6.21.4. dnp3_data
    • 6.21.4.1. Syntax
    • 6.21.4.2. Example
• 6.22. ENIP/CIP Keywords
• 6.23. FTP/FTP-DATA Keywords
  • 6.23.1. ftpdata_command
  • 6.23.2. ftpbounce
• 6.24. Kerberos Keywords
  • 6.24.1. krb5_msg_type
  • 6.24.2. krb5_cname
  • 6.24.3. krb5_sname
  • 6.24.4. krb5_err_code
  • 6.24.5. krb5.weak_encryption (event)
  • 6.24.6. krb5.malformed_data (event)
• 6.25. SNMP keywords
  • 6.25.1. snmp.version
  • 6.25.2. snmp.community
  • 6.25.3. snmp.pdu_type
• 6.26. Base64 keywords
  • 6.26.1. base64_decode
  • 6.26.2. base64_data
  • 6.26.3. Example
• 6.27. SIP Keywords
  • 6.27.1. sip.method
    • 6.27.1.1. Syntax
    • 6.27.1.2. Examples
  • 6.27.2. sip.uri
    • 6.27.2.1. Syntax
    • 6.27.2.2. Examples
  • 6.27.3. sip.request_line
    • 6.27.3.1. Syntax
    • 6.27.3.2. Examples
  • 6.27.4. sip.stat_code
    • 6.27.4.1. Syntax
    • 6.27.4.2. Examples
  • 6.27.5. sip.stat_msg
    • 6.27.5.1. Syntax
    • 6.27.5.2. Examples
  • 6.27.6. sip.response_line
    • 6.27.6.1. Syntax
    • 6.27.6.2. Examples
  • 6.27.7. sip.protocol
    • 6.27.7.1. Syntax
    • 6.27.7.2. Example
• 6.28. RFB Keywords
  • 6.28.1. rfb.name
  • 6.28.2. rfb.secresult
  • 6.28.3. rfb.sectype
  • 6.28.4. Additional information
• 6.29. MQTT Keywords
  • 6.29.1. mqtt.protocol_version
  • 6.29.2. mqtt.type
  • 6.29.3. mqtt.flags
  • 6.29.4. mqtt.qos
  • 6.29.5. mqtt.reason_code
  • 6.29.6. mqtt.connack.session_present
  • 6.29.7. mqtt.connect.clientid
  • 6.29.8. mqtt.connect.flags
  • 6.29.9. mqtt.connect.password
  • 6.29.10. mqtt.connect.username
  • 6.29.11. mqtt.connect.willmessage
  • 6.29.12. mqtt.connect.willtopic
  • 6.29.13. mqtt.publish.message
  • 6.29.14. mqtt.publish.topic
  • 6.29.15. mqtt.subscribe.topic
  • 6.29.16. mqtt.unsubscribe.topic
  • 6.29.17. Additional information
• 6.30. IKE Keywords
  • 6.30.1. ike.init_spi, ike.resp_spi
  • 6.30.2. ike.chosen_sa_attribute
  • 6.30.3. ike.exchtype
  • 6.30.4. ike.vendor
  • 6.30.5. ike.key_exchange_payload
  • 6.30.6. ike.key_exchange_payload_length
  • 6.30.7. ike.nonce_payload
  • 6.30.8. ike.nonce_payload_length
  • 6.30.9. Additional information
• 6.31. HTTP2 Keywords
  • 6.31.1. http2.frametype
  • 6.31.2. http2.errorcode
  • 6.31.3. http2.priority
  • 6.31.4. http2.window
  • 6.31.5. http2.size_update
  • 6.31.6. http2.settings
  • 6.31.7. http2.header_name
  • 6.31.8. http2.header
  • 6.31.9. Additional information
• 6.32. Quic Keywords
  • 6.32.1. quic.cyu.hash
  • 6.32.2. quic.cyu.string
  • 6.32.3. quic.version
  • 6.32.4. Additional information
• 6.33. Generic App Layer Keywords
  • 6.33.1. app-layer-protocol
    • 6.33.1.1. Bail out conditions
  • 6.33.2. app-layer-event
    • 6.33.2.1. Protocol Detection
      • 6.33.2.1.1. applayer_mismatch_protocol_both_directions
      • 6.33.2.1.2. applayer_wrong_direction_first_data
      • 6.33.2.1.3. applayer_detect_protocol_only_one_direction
      • 6.33.2.1.4. applayer_proto_detection_skipped
• 6.34. Xbits Keyword
  • 6.34.1. Notes
    • 6.34.1.1. YAML settings
    • 6.34.1.2. Threading
    • 6.34.1.3. Unix Socket
    • 6.34.1.4. Examples
      • 6.34.1.4.1. Creating a SSH blacklist
• 6.35. Thresholding Keywords
  • 6.35.1. threshold
    • 6.35.1.1. type “threshold”
    • 6.35.1.2. type “limit”
    • 6.35.1.3. type “both”
  • 6.35.2. detection_filter
• 6.36. IP Reputation Keyword
  • 6.36.1. iprep
    • 6.36.1.1. IP-only
• 6.37. Config Rules
  • 6.37.1. Keyword
  • 6.37.2. Action
• 6.38. Datasets
  • 6.38.1. Global config (optional)
  • 6.38.2. Rule keywords
    • 6.38.2.1. dataset
    • 6.38.2.2. datarep
  • 6.38.3. Rule Reloads
  • 6.38.4. Unix Socket
    • 6.38.4.1. dataset-add
    • 6.38.4.2. dataset-remove
  • 6.38.5. File formats
    • 6.38.5.1. data types
    • 6.38.5.2. dataset
    • 6.38.5.3. datarep
• 6.39. Lua Scripting for Detection
  • 6.39.1. Init function
  • 6.39.2. Match function
• 6.40. Differences From Snort
  • 6.40.1. Automatic Protocol Detection
  • 6.40.2. urilen Keyword
  • 6.40.3. http_uri Buffer
  • 6.40.4. http_header Buffer
  • 6.40.5. http_cookie Buffer
  • 6.40.6. New HTTP keywords
  • 6.40.7. byte_extract Keyword
  • 6.40.8. isdataat Keyword
  • 6.40.9. Relative PCRE
  • 6.40.10. tls* Keywords
  • 6.40.11. dns_query Keyword
  • 6.40.12. IP Reputation and iprep Keyword
  • 6.40.13. Flowbits
  • 6.40.14. flowbits:noalert;
  • 6.40.15. Negated Content Match Special Case
  • 6.40.16. File Extraction
  • 6.40.17. Lua Scripting
  • 6.40.18. Fast Pattern
  • 6.40.19. Don’t Cross The Streams
  • 6.40.20. Alerts
  • 6.40.21. Buffer Reference Chart