diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:40:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:40:14 +0000 |
| commit | 2c370a1dd70130d82e9222945ff2421a4168e640 (patch) | |
| tree | 670794b3ba895e1a01c834c5b7881d123eb46f38 /doc/userguide/rules/payload-keywords.rst | |
| parent | Adding debian version 1:7.0.3-1. (diff) | |
| download | suricata-2c370a1dd70130d82e9222945ff2421a4168e640.tar.xz suricata-2c370a1dd70130d82e9222945ff2421a4168e640.zip | |
Merging upstream version 1:7.0.4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | doc/userguide/rules/payload-keywords.rst | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 9a609a2..086e11c 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -282,7 +282,7 @@ precision to the content match, previously this could have been done with ``isda An optional operator can be specified; if no operator is present, the operator will default to '='. When a relational operator is used, e.g., '<', '>' or '<>' (range), -the bsize value will be compared using the relational operator. Ranges are inclusive. +the bsize value will be compared using the relational operator. Ranges are exclusive. If one or more ``content`` keywords precedes ``bsize``, each occurrence of ``content`` will be inspected and an error will be raised if the content length and the bsize @@ -325,6 +325,9 @@ Examples of ``bsize`` in a rule: alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"middle"; bsize:6<>15; sid:126; rev:1;) +To emphasize how range works: in the example above, a match will occur if +``bsize`` is greater than 6 and less than 15. + dsize ----- |