summaryrefslogtreecommitdiffstats
path: root/doc/userguide/rules/ipaddr.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
commita0aa2307322cd47bbf416810ac0292925e03be87 (patch)
tree37076262a026c4b48c8a0e84f44ff9187556ca35 /doc/userguide/rules/ipaddr.rst
parentInitial commit. (diff)
downloadsuricata-upstream/1%7.0.3.tar.xz
suricata-upstream/1%7.0.3.zip
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/userguide/rules/ipaddr.rst')
-rw-r--r--doc/userguide/rules/ipaddr.rst31
1 files changed, 31 insertions, 0 deletions
diff --git a/doc/userguide/rules/ipaddr.rst b/doc/userguide/rules/ipaddr.rst
new file mode 100644
index 0000000..c4e1953
--- /dev/null
+++ b/doc/userguide/rules/ipaddr.rst
@@ -0,0 +1,31 @@
+.. _ipaddr:
+
+IP Addresses Match
+==================
+
+Matching on IP addresses can be done via the IP tuple parameters or via the iprep keywords (see :doc:`/rules/ip-reputation-rules`).
+Some keywords providing interaction with datasets are also available.
+
+ip.src
+------
+
+The `ip.src` keyword is a sticky buffer to match on source IP address. It matches on the binary representation
+and is compatible with datasets of types `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound bad list"; flow:to_server; ip.src; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)
+
+ip.dst
+------
+
+The `ip.dst` keyword is a sticky buffer to match on destination IP address. It matches on the binary representation
+and is compatible with the dataset of type `ip` and `ipv4`.
+
+Example:
+
+::
+
+ alert tcp $HOME_NET any -> any any (msg:"Outbound bad list"; flow:to_server; ip.dst; dataset:isset,badips,type ip,load badips.list; sid:1; rev:1;)