Documentation #5523: userguide: document the tcp-stream keyword - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #5523

open

Documentation #5182: userguide: better document rule keywords

userguide: document the tcp-stream keyword

Added by Juliana Fajardini Reichow over 1 year ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

The documentation mestions the tcp-stream keyword, but there is no
section dedicated to explain it, probably making it less known and used than it could be.

Brief explanation:
In order to tell Suricata to inspect the TCP stream as a whole, taking into consideration that TCP session splicing can happen, instead of using the 'tcp' keyword ('alert tcp...'), which will inspect both the specific packet and the stream, one should use 'tcp-stream' ('alert tcp-stream...').

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Documentation #5523

userguide: document the tcp-stream keyword