Project

General

Profile

Actions

Documentation #5543

open

userguide: document which keywords accept the prefilter keyword

Added by Juliana Fajardini Reichow about 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using

$ suricata --list-keywords=all

will give a list of possible rules that feature prefilter.

For example:

tcp.mss:
Description: match on TCP MSS option field
Features: prefilter
Documentation: https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss


Related issues 1 (1 open0 closed)

Related to Suricata - Optimization #5545: prefilter keyword: increase code coverageNewCommunity TicketActions
Actions #1

Updated by Juliana Fajardini Reichow about 2 years ago

suricata --list-keywords=csv|grep prefilter ==

app-layer-protocol;match on the detected app-layer protocol;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/app-layer.html#app-layer-protocol;
tcp.ack;check for a specific TCP acknowledgement number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ack;
tcp.seq;check for a specific TCP sequence number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#seq;
tcp.flags;detect which flags are set in the TCP header;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcp-flags;
fragbits;check if the fragmentation and reserved bits are set in the IP header;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragbits-ip-fragmentation;
fragoffset;match on specific decimal values of the IP fragment offset field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragoffset;
ttl;check for a specific IP time-to-live value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ttl;
itype;match on a specific ICMP type;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#itype;
icode;match on specific ICMP id-value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icode;
icmp_id;check for a ICMP ID;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-id;
icmp_seq;check for a ICMP sequence number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-seq;
dsize;match on the size of the packet payload;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#dsize;
flow;match on direction and state of the flow;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#flow;
fast_pattern;force using preceding content in the multi pattern matcher;Unset;none;https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#fast-pattern;
id;match on a specific IP ID value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#id;
stream_size;match on amount of bytes of a stream;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#stream-size;
template2;TODO describe the keyword;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#template2;
icmpv6.mtu;match on ICMPv6 MTU field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmpv6mtu;
tcp.mss;match on TCP MSS option field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss;
prefilter;force a condition to be used as prefilter;Unset;No option;https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#prefilter;

Actions #2

Updated by Juliana Fajardini Reichow about 2 years ago

Actions #3

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Affected Versions 8.0.0-beta1 added
Actions #4

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Target version changed from TBD to 8.0.0-beta1
  • Affected Versions git master added
  • Affected Versions deleted (8.0.0-beta1)
Actions #5

Updated by Victor Julien 10 months ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions

Also available in: Atom PDF