https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-09-19T13:21:33ZOpen Information Security FoundationSuricata - Documentation #5543: userguide: document which keywords accept the prefilter keywordhttps://redmine.openinfosecfoundation.org/issues/5543?journal_id=245072022-09-19T13:21:33ZJuliana Fajardini Reichow
<ul></ul><p>suricata --list-keywords=csv|grep prefilter ==</p>
<p>app-layer-protocol;match on the detected app-layer protocol;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/app-layer.html#app-layer-protocol;">https://suricata.readthedocs.io/en/latest/rules/app-layer.html#app-layer-protocol;</a><br />tcp.ack;check for a specific TCP acknowledgement number;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ack;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ack;</a><br />tcp.seq;check for a specific TCP sequence number;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#seq;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#seq;</a><br />tcp.flags;detect which flags are set in the TCP header;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcp-flags;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcp-flags;</a><br />fragbits;check if the fragmentation and reserved bits are set in the IP header;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragbits-ip-fragmentation;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragbits-ip-fragmentation;</a><br />fragoffset;match on specific decimal values of the IP fragment offset field;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragoffset;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#fragoffset;</a><br />ttl;check for a specific IP time-to-live value;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ttl;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#ttl;</a><br />itype;match on a specific ICMP type;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#itype;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#itype;</a><br />icode;match on specific ICMP id-value;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icode;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icode;</a><br />icmp_id;check for a ICMP ID;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-id;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-id;</a><br />icmp_seq;check for a ICMP sequence number;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-seq;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmp-seq;</a><br />dsize;match on the size of the packet payload;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#dsize;">https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#dsize;</a><br />flow;match on direction and state of the flow;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#flow;">https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#flow;</a><br />fast_pattern;force using preceding content in the multi pattern matcher;Unset;none;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#fast-pattern;">https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#fast-pattern;</a><br />id;match on a specific IP ID value;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#id;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#id;</a><br />stream_size;match on amount of bytes of a stream;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#stream-size;">https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html#stream-size;</a><br />template2;TODO describe the keyword;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#template2;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#template2;</a><br />icmpv6.mtu;match on ICMPv6 MTU field;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmpv6mtu;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#icmpv6mtu;</a><br />tcp.mss;match on TCP MSS option field;Unset;prefilter;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss;">https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcpmss;</a><br />prefilter;force a condition to be used as prefilter;Unset;No option;<a class="external" href="https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#prefilter;">https://suricata.readthedocs.io/en/latest/rules/prefilter-keywords.html#prefilter;</a></p> Suricata - Documentation #5543: userguide: document which keywords accept the prefilter keywordhttps://redmine.openinfosecfoundation.org/issues/5543?journal_id=245082022-09-19T14:51:12ZJuliana Fajardini Reichow
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-1 priority-4 priority-default" href="/issues/5545">Optimization #5545</a>: prefilter keyword: increase code coverage</i> added</li></ul> Suricata - Documentation #5543: userguide: document which keywords accept the prefilter keywordhttps://redmine.openinfosecfoundation.org/issues/5543?journal_id=260092022-12-07T11:32:22ZJuliana Fajardini Reichow
<ul><li><strong>Affected Versions</strong> <i>8.0.0-beta1</i> added</li></ul> Suricata - Documentation #5543: userguide: document which keywords accept the prefilter keywordhttps://redmine.openinfosecfoundation.org/issues/5543?journal_id=260102022-12-07T11:33:14ZJuliana Fajardini Reichow
<ul><li><strong>Target version</strong> changed from <i>TBD</i> to <i>8.0.0-beta1</i></li><li><strong>Affected Versions</strong> <i>git master</i> added</li><li><strong>Affected Versions</strong> deleted (<del><i>8.0.0-beta1</i></del>)</li></ul> Suricata - Documentation #5543: userguide: document which keywords accept the prefilter keywordhttps://redmine.openinfosecfoundation.org/issues/5543?journal_id=318132024-01-08T14:32:28ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>Juliana Fajardini Reichow</i> to <i>OISF Dev</i></li></ul>