Documentation #5543
openuserguide: document which keywords accept the prefilter keyword
Description
Using
$ suricata --list-keywords=all
will give a list of possible rules that feature prefilter.
For example:
tcp.mss:
Description: match on TCP MSS option field
Features: prefilter
Documentation: https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss
Updated by Juliana Fajardini Reichow over 1 year ago
suricata --list-keywords=csv|grep prefilter ==
app-layer-protocol;match on the detected app-layer protocol;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/app-layer.html#app-layer-protocol;
tcp.ack;check for a specific TCP acknowledgement number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ack;
tcp.seq;check for a specific TCP sequence number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#seq;
tcp.flags;detect which flags are set in the TCP header;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcp-flags;
fragbits;check if the fragmentation and reserved bits are set in the IP header;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragbits-ip-fragmentation;
fragoffset;match on specific decimal values of the IP fragment offset field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragoffset;
ttl;check for a specific IP time-to-live value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ttl;
itype;match on a specific ICMP type;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#itype;
icode;match on specific ICMP id-value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icode;
icmp_id;check for a ICMP ID;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-id;
icmp_seq;check for a ICMP sequence number;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-seq;
dsize;match on the size of the packet payload;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#dsize;
flow;match on direction and state of the flow;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#flow;
fast_pattern;force using preceding content in the multi pattern matcher;Unset;none;https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#fast-pattern;
id;match on a specific IP ID value;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#id;
stream_size;match on amount of bytes of a stream;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#stream-size;
template2;TODO describe the keyword;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#template2;
icmpv6.mtu;match on ICMPv6 MTU field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmpv6mtu;
tcp.mss;match on TCP MSS option field;Unset;prefilter;https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss;
prefilter;force a condition to be used as prefilter;Unset;No option;https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#prefilter;
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Optimization #5545: prefilter keyword: increase code coverage added
Updated by Juliana Fajardini Reichow over 1 year ago
- Affected Versions 8.0.0-beta1 added
Updated by Juliana Fajardini Reichow over 1 year ago
- Target version changed from TBD to 8.0.0-beta1
- Affected Versions git master added
- Affected Versions deleted (
8.0.0-beta1)
Updated by Victor Julien 3 months ago
- Assignee changed from Juliana Fajardini Reichow to OISF Dev